lucas-c / pre-commit-hooks-safety Goto Github PK
View Code? Open in Web Editor NEWA pre-commit hook to check your Python dependencies against safety-db
License: MIT License
A pre-commit hook to check your Python dependencies against safety-db
License: MIT License
When trying to use this check I get the following error message:
Python dependencies checker...........................................................................................................................................................................................................Failed
hookid: python-safety-dependencies-check
Traceback (most recent call last):
File "/home/user/.pre-commit/repoR_abcd/py_env-default/bin/safety", line 11, in <module>
load_entry_point('pre-commit-hooks-safety==1.0.0', 'console_scripts', 'safety')()
File "/home/user/.pre-commit/repoR_abcd/py_env-default/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 564, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/home/user/.pre-commit/repoR_abcd/py_env-default/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2608, in load_entry_point
return ep.load()
File "/home/user/.pre-commit/repoR_abcd/py_env-default/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2268, in load
return self.resolve()
File "/home/user/.pre-commit/repoR_abcd/py_env-default/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2274, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/home/user/.pre-commit/repoR_abcd/py_env-default/local/lib/python2.7/site-packages/pre_commit_hooks/safety.py", line 3, in <module>
from safety.cli import check
ImportError: No module named cli
The configuration in pre-commit-config.yaml
is:
- repo: https://github.com/Lucas-C/pre-commit-hooks-safety
sha: v1.0.9
hooks:
- id: python-safety-dependencies-check
When I rename your safety.py
to something else (like safety_check.py
) and adjust setup.py
accordingly it works, so I'd say it's a naming collision between your safety.py
and safety
itself.
The same happens for me with your bandit
check as well.
We started seeing this error intermittently just now when running the pre-commit hook at v1.3.0. It was working at 21:13 UTC today.
Traceback (most recent call last):
File "/home/runner/.cache/pre-commit/repodztrbsrf/py_env-python3.10.7/bin/safety_check", line 5, in <module>
from pre_commit_hooks.safety_check import main
File "/home/runner/.cache/pre-commit/repodztrbsrf/py_env-python3.10.7/lib/python3.10/site-packages/pre_commit_hooks/safety_check.py", line 12, in <module>
from safety.cli import cli
File "/home/runner/.cache/pre-commit/repodztrbsrf/py_env-python3.10.7/lib/python3.10/site-packages/safety/cli.py", line 13, in <module>
from safety.alerts import alert
ModuleNotFoundError: No module named 'safety.alerts'
We have chosen to split our dependencies more than just a main and a dev group, so now we do not have a dev group at all.
Instead we have main
, docs
, lint
, tools
and test
.
In Poetry 1.5.0, this now breaks because python-poetry/poetry#7529 was merged and unknown group names now trigger an error in poetry when used with --only
, --with
and --without
.
Would it be possible to have the full list of optional groups be taken as an argument? This would also help with #41
Hi,
I hope you're doing well.
I'm using this config:
- repo: https://github.com/Lucas-C/pre-commit-hooks-safety
rev: v1.3.1
hooks:
- id: python-safety-dependencies-check
name: Check dependencies for vulnerability
files: requirements*
args: ["--disable-telemetry"]
but I got this error:
Error: No such option: --disable-telemetry Did you mean --disable-optional-telemetry?
Hello!
Since 1.3.0, I've been getting this error:
safety_check: error: Unsupported mix of pyproject.toml & requirements files found
For one of the projects that gave me this error, safety helpfully listed the files that were affected. It turned out that there was a requirements folder in the documentation containing markdown files. I managed to fix it by passing files: pyproject.toml
.
For the other project, there is no file with requirements in the full path, and passing files: pyproject.toml
doesn't do anything either.
Safety was upgraded for security reasons. Could we get a new tag?
cf. pyupio/safety#18
In Alternative local hook add please name key
During the usage :
Missing required key: name
Run url: https://results.pre-commit.ci/run/github/271132078/1617374166.oTZJbiEtQ5WvSAQiJtgiQQ
Full traceback:
Traceback (most recent call last):
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/urllib3/connection.py", line 169, in _new_conn
conn = connection.create_connection(
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/urllib3/util/connection.py", line 73, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/urllib3/connection.py", line 353, in connect
conn = self._new_conn()
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/urllib3/connection.py", line 181, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7f1fa9536d30>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /pyupio/safety-db/master/data/insecure.json (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f1fa9536d30>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/bin/safety_check", line 8, in <module>
sys.exit(main())
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/pre_commit_hooks/safety_check.py", line 38, in main
return call_safety_check(parsed_args.files, parsed_args.ignore, parsed_args.full_report, args_rest)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/pre_commit_hooks/safety_check.py", line 60, in call_safety_check
check.main(safety_args + [full_report_arg] + args_rest, prog_name="safety")
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/safety/cli.py", line 71, in check
vulns = safety.check(packages=packages, key=key, db_mirror=db, cached=cache, ignore_ids=ignore, proxy=proxy_dictionary)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/safety/safety.py", line 138, in check
db = fetch_database(key=key, db=db_mirror, cached=cached, proxy=proxy)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/safety/safety.py", line 121, in fetch_database
data = fetch_database_url(mirror, db_name=db_name, key=key, cached=cached, proxy=proxy)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/safety/safety.py", line 90, in fetch_database_url
r = requests.get(url=url, timeout=REQUEST_TIMEOUT, headers=headers, proxies=proxy)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/pc/clone/wW0pw9xyTVWbKZ_uIUTBAw/py_env-python3/lib/python3.8/site-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /pyupio/safety-db/master/data/insecure.json (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f1fa9536d30>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
File "/home/jenkins/workspace/cl-infratools-jenkinsfile_v1.1.1/.cache/pre-commit/repoLdwXZS/y_env-python2.7/binsafety_check", line 8, in <module>
RuntimeError: maximum recursion depth exceeded while calling a Python object
The hook at v1.2.4 has been failing for me since 12:14 a.m. UTC today (June 29th, 2022) in one repo but not others. I believe the underlying API is reported as up, and I'm stumped as to how to debug this further, so any help would be greatly appreciated. This is the error I'm getting:
Unexpected Exception happened: 'NoneType' object has no attribute 'telemetry'
Traceback (most recent call last):
File "/home/runner/.cache/pre-commit/reponl89_evy/py_env-python3.10.4/lib/python3.10/site-packages/safety/cli.py", line 101, in check
announcements = safety.get_announcements(key=key, proxy=proxy_dictionary, telemetry=ctx.parent.telemetry)
AttributeError: 'NoneType' object has no attribute 'telemetry'
When the hook runs in pre-commit, I get this:
safety...................................................................Failed
hookid: python-safety-dependencies-check
╒══════════════════════════════════════════════════════════════════════════════╕
│ │
│ /$$$$$$ /$$ │
│ /$$__ $$ | $$ │
│ /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ │
│ /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ │
│ | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ │
│ \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ │
│ /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ │
│ |_______/ \_______/|__/ \_______/ \___/ \____ $$ │
│ /$$ | $$ │
│ | $$$$$$/ │
│ by pyup.io \______/ │
│ │
╞══════════════════════════════════════════════════════════════════════════════╡
│ REPORT │
│ checked 69 packages, using default DB │
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package │ installed │ affected │ ID │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ requests │ 2.18.4 │ <=2.19.1 │ 36546 │
╞══════════════════════════════════════════════════════════════════════════════╡
│ The Requests package before 2.19.1 sends an HTTP Authorization header to an │
│ http URI upon receiving a same-hostname https-to-http redirect, which makes │
│ it easier for remote attackers to discover credentials by sniffing the │
│ network. │
╞══════════════════════════════════════════════════════════════════════════════╡
│ urllib3 │ 1.22 │ <1.23 │ 36541 │
╞══════════════════════════════════════════════════════════════════════════════╡
│ urllib3 before 1.23 does not remove the Authorization HTTP header when │
│ following a cross-origin redirect (i.e., a redirect that differs in host, │
│ port, or scheme). This can allow for credentials in the Authorization header │
│ to be exposed to unintended hosts or transmitted in cleartext. │
╘══════════════════════════════════════════════════════════════════════════════╛
docformatter.............................................................Passed
Poetry check.........................................(no files to check)Skipped
codespell................................................................Passed
And yet when I run it in project, I get this:
nifty-logging-colours-6pZ7Y-k_-py3.7(master|+14…4); safety check
╒══════════════════════════════════════════════════════════════════════════════╕
│ │
│ /$$$$$$ /$$ │
│ /$$__ $$ | $$ │
│ /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ │
│ /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ │
│ | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ │
│ \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ │
│ /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ │
│ |_______/ \_______/|__/ \_______/ \___/ \____ $$ │
│ /$$ | $$ │
│ | $$$$$$/ │
│ by pyup.io \______/ │
│ │
╞══════════════════════════════════════════════════════════════════════════════╡
│ REPORT │
│ checked 168 packages, using default DB │
╞══════════════════════════════════════════════════════════════════════════════╡
│ No known security vulnerabilities found. │
╘══════════════════════════════════════════════════════════════════════════════╛
Note that in the first instance (via pre-commit
, I get 69 packages whereas within my venv, I get 168 so clearly pre-commit
is not running it where I think it should.
My configuration is as such:
- repo: https://github.com/Lucas-C/pre-commit-hooks-safety
rev: v1.1.0
hooks:
- id: python-safety-dependencies-check
Any idea?
I'm getting this weird error when I'm trying to push my code:
Unexpected Exception happened: 'NoneType' object has no attribute 'telemetry'
Traceback (most recent call last):
File "/<folders>/.cache/pre-commit/repo4126ctqi/py_env-python3.9/lib/python3.9/site-packages/safety/cli.py", line 110, in check
announcements = safety.get_announcements(key=key, proxy=proxy_dictionary, telemetry=ctx.parent.telemetry)
AttributeError: 'NoneType' object has no attribute 'telemetry'
Unhandled exception happened: 'NoneType' object has no attribute 'telemetry'
my .pre-commit-config.yml
repos:
# Check Python dependencies against safety-db.
- repo: 'https://github.com/Lucas-C/pre-commit-hooks-safety'
rev: v1.2.4
hooks:
- id: python-safety-dependencies-check
args: [--ignore=42194]
Python version: 3.9.14
It would be nice if this could be run on a repo that had both a requirements.txt and a pyproject.toml. For example I use poetry for development but then have a requirements.txt used by FBS for compiling. Both files don't need to be checked, but even if I only pass in the pyproject.toml file, it still errors out.
- repo: https://github.com/Lucas-C/pre-commit-hooks-safety
rev: v1.2.2
hooks:
- id: python-safety-dependencies-check
args: [files pyproject.toml]
Unless I am not properly passing in the file then it's just user error
In my case,
[--ignore=39153,39652] is not work
["--ignore=39153,39652"] is work only
This has already been fixed in the safety library, here is the issue: pyupio/safety#141
here is the fix: https://github.com/pyupio/safety/pull/142/files
Stacktrace:
safety...................................................................Failed
hookid: python-safety-dependencies-check
Traceback (most recent call last):
File "~/.cache/pre-commit/repoqfzf4xho/py_env-python3.6/bin/safety_check", line 11, in <module>
sys.exit(main())
File "~/.cache/pre-commit/repoqfzf4xho/py_env-python3.6/lib/python3.6/site-packages/pre_commit_hooks/safety_check.py", line 8, in main
check.main(['--full-report'] + sum((['-r', f] for f in argv), []))
File "~/.cache/pre-commit/repoqfzf4xho/py_env-python3.6/lib/python3.6/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "~/.cache/pre-commit/repoqfzf4xho/py_env-python3.6/lib/python3.6/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "~/.cache/pre-commit/repoqfzf4xho/py_env-python3.6/lib/python3.6/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "~/.cache/pre-commit/repoqfzf4xho/py_env-python3.6/lib/python3.6/site-packages/safety/cli.py", line 71, in check
key=key
File "~/.cache/pre-commit/repoqfzf4xho/py_env-python3.6/lib/python3.6/site-packages/safety/formatter.py", line 196, in report
return SheetReport.render(vulns, full=full, checked_packages=checked_packages, used_db=used_db)
File "~/.cache/pre-commit/repoqfzf4xho/py_env-python3.6/lib/python3.6/site-packages/safety/formatter.py", line 116, in render
table.append("│ {:76} │".format(line.encode('utf-8')))
TypeError: unsupported format string passed to bytes.__format__
The convert_poetry_to_requrements
function fails when Poetry 1.1.14 is installed. This version doesn't accept the --with
dev
option.
This older version of Poetry uses the --dev
option, which is still accepted by current Poetry versions. So changing convert_poetry_to_requrements
to use --dev
would allow it to work on older & current Poetry versions.
When I run
michael:outbound-file-transfer$ safety check -r requirements.txt
safety works. When I use the pre-commit hook configuration:
repo: https://github.com/Lucas-C/pre-commit-hooks-safety
sha: v1.1.3
hooks:
- id: python-safety-dependencies-check
-
I get
safety...............................................(no files to check)Skipped
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
.github/workflows/build.yml
actions/checkout v4
actions/setup-python v5
dev-requirements.txt
When running preicommit-hooks-safety, the following warning is output:
The `--dev` option is deprecated, use the `--with dev` notation instead.
The warning is coming from poetry.
re-opening #7
The get-poetry.py script described here will be replaced in Poetry 1.2 by install-poetry.py. From Poetry 1.1.7 onwards, you can already use this script as described here.
The new script installs poetry to another place:
$HOME/.local/bin for Unix
%APPDATA%\Python\Scripts on Windows
Source: https://python-poetry.org/docs/master/#installing-with-the-official-installer
I saw that this tool uses poetry export --with
. This --with
flag was added with v1.2, while the export
command was added with v1.0 if I remember correctly.
I know, that I need to provide poetry myself, but a note on the readme about needing poetry >= v1.2 would be nice.
Another point is, that poetry support is not mentioned on the readme at all, while it is the only supported pyproject.toml support as of now, according to the source. I don't remember how I found this tool months ago, but the poetry support was the reason. Maybe a little section mentioning poetry support on the readme would be good.
I would make a PR if you like.
On Win10 with py3.8 I get the error when running the hook.
.pre-commit-config.yaml
config (shorted):
...
- repo: https://github.com/Lucas-C/pre-commit-hooks-safety
rev: 8cccd08a2ddd47f0e995302b08655320fd04981a # frozen: v1.2.3
hooks:
- id: python-safety-dependencies-check
args: ["--full-report"]
files: pyproject.toml
exclude: bin/.*
...
Stacktrace (shorted):
safety...................................................................Failed
- hook id: python-safety-dependencies-check
- exit code: 1
+==============================================================================+
| |
| /$$$$$$ /$$ |
| /$$__ $$ | $$ |
| /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ |
| /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ |
| | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ |
| \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ |
| /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ |
| |_______/ \_______/|__/ \_______/ \___/ \____ $$ |
| /$$ | $$ |
| | $$$$$$/ |
| by pyup.io \______/ |
| |
+==============================================================================+
| REPORT |
| checked 160 packages, using free DB (updated once a month) |
+==============================================================================+
| No known security vulnerabilities found. |
+==============================================================================+
Traceback (most recent call last):
File "C:\Users\<username>\AppData\Local\Programs\Python\Python38\lib\runpy.py", line 194, in _run_module_as_main
return _run_code(code, main_globals, None,
File "C:\Users\<username>\AppData\Local\Programs\Python\Python38\lib\runpy.py", line 87, in _run_code
exec(code, run_globals)
File "C:\Users\<username>\.cache\pre-commit\repo1t7i50ag\py_env-python3.8\Scripts\safety_check.EXE\__main__.py", line 7, in <module>
File "C:\Users\<username>\.cache\pre-commit\repo1t7i50ag\py_env-python3.8\lib\site-packages\pre_commit_hooks\safety_check.py", line 46, in main
return call_safety_check([tmp_requirements.name], parsed_args.ignore, parsed_args.full_report, args_rest)
File "C:\Users\<username>\AppData\Local\Programs\Python\Python38\lib\contextlib.py", line 120, in __exit__
next(self.gen)
File "C:\Users\<username>\.cache\pre-commit\repo1t7i50ag\py_env-python3.8\lib\site-packages\pre_commit_hooks\safety_check.py", line 81, in convert_poetry_to_requirements
os.remove(ntf.name)
PermissionError: [WinError 32] The process cannot access the file because it is being used by another
process: 'C:\\Users\\<username>\\AppData\\Local\\Temp\\tmpsp4pt95s'
AFAIK you cannot remove a file on windows while it is open and exactly this happens here.
The issue is that the removal of the temp file happens within the with
block.
I tested a quick fix locally and got it to work. I will make a PR right away.
I believe it makes a lot more sense for this hook to include the always_run
function of pre-commit: https://pre-commit.com/#hooks-always_run
More often than not, the safety
check finds vulnerabilities in libraries that were already installed. This means in most cases when safety is important to run, it won't because the requirements file won't have been updated so the hook won't trigger.
I have run poetry install
, but still see this error message.
- hook id: python-safety-dependencies-check
- exit code: 2
usage: safety_check
[-h]
[--full-report]
[--short-report]
[--ignore IGNORE]
files
[files ...]
safety_check: error: Unsupported build tool: this pre-commit hook currently only handles pyproject.toml with Poetry
Hello pre-commit hook implementer!
In version 0.12.0 pre-commit has changed the default location for the file formerly known as hooks.yaml
to make it more convincing for others to add more hooks.
As such, a migration has to (unfortunately) occur.
For maximum compatibility it is suggested to cp hooks.yaml .pre-commit-hooks.yaml
(at least for the migration period). A copy is suggested over a symlink unless you do not care for windows compatibility (and I wouldn't blame you!).
Once the migration period is over (or you no longer care to support old versions of pre-commit), the hooks.yaml file is no longer necessary and may be deleted.
See pre-commit/pre-commit#470 for more details
Thanks again for contributing to the pre-commit ecosystem, we couldn't do it without you :)
Anthony
I just noticed that convert_poetry_to_requirements
works by running poetry export --with=dev
and feeding the output to safety check
.
When a project has 'extra' dependencies, they are not included in the output of poetry export --with-dev
.
Here's a demonstration using https://github.com/yrro/hitron-exporter/:
$ poetry export --with=dev | grep '^[^ ]' | wc -l
30
$ poetry export --with=dev -E freeipa-vault -E container | grep '^[^ ]' | wc -l
48
Unfortunately poetry export
dosn't have a way to include all extra dependencies; you probably have to parse pyproject.toml
and construct the list of extras by looking for this part:
[tool.poetry.extras]
freeipa-vault = ["ipaclient", "ipapython"]
container = ["gunicorn", "setproctitle"]
Hi Lucas! Many thanks for creating this very helpful tool. With more and more projects defining dependencies in pyproject.toml
(e.g., via Poetry), would you consider adding support for checking dependencies defined in that file? I imagine an initial implementation could support Poetry by checking pyproject.toml
for the presence of [tool.poetry.dependencies]
and/or [tool.poetry.dev-dependencies]
keys, and if one or both of those keys are present, using Poetry's export-to-requirements.txt feature and running the equivalent of:
poetry export --dev --format requirements.txt | safety check --stdin
What do you think?
I ran this command
> safety check
+==============================================================================+
| |
| /$$$$$$ /$$ |
| /$$__ $$ | $$ |
| /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ |
| /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ |
| | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ |
| \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ |
| /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ |
| |_______/ \_______/|__/ \_______/ \___/ \____ $$ |
| /$$ | $$ |
| | $$$$$$/ |
| by pyup.io \______/ |
| |
+==============================================================================+
| REPORT |
| checked 99 packages, using free DB (updated once a month) |
+============================+===========+==========================+==========+
| package | installed | affected | ID |
+============================+===========+==========================+==========+
| sqlalchemy-utils | 0.37.9 | >=0.27.0 | 42194 |
+==============================================================================+
> echo $?
255
This makes some script pipelines be failed when the command 'safety check' is placed the end of script.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.