pypa · matteius · Apr 22, 2025 · Mar 21, 2025 · Apr 21, 2025 · Apr 21, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -102,7 +102,7 @@ jobs:
         run: |
           git submodule sync
           git submodule update --init --recursive
-          python -m pip install -e . --upgrade
+          python -m pip install -e .[safety] --upgrade
           pipenv install --deploy --dev --python=${{ matrix.python-version }}
       - name: Run pypiserver without pipenv (Python 3.9-3.11)
         run: |

diff --git a/docs/cli.md b/docs/cli.md
@@ -8,12 +8,38 @@ pipenv [OPTIONS] COMMAND [ARGS]...
 
 ## check
 
-Checks for PyUp Safety security vulnerabilities and against PEP 508 markers provided in Pipfile.
+Checks and scans project for PyUp Safety security vulnerabilities and against PEP 508 markers.
 
 ```bash
 pipenv check [OPTIONS]
 ```
 
+Options:
+```
+--db TEXT                       Path or URL to a PyUp Safety vulnerabilities database.
+--ignore, -i TEXT               Ignore specified vulnerability during PyUp Safety checks.
+--output [screen|text|json|bare]
+                                Specifies the output format for the PyUp Safety check.
+--key TEXT                      Safety API key from PyUp.io for scanning dependencies against a live
+                                vulnerabilities database.
+--quiet                         Quiet standard output, except vulnerability report.
+--policy-file TEXT              Define the policy file to be used.
+--exit-code / --continue-on-error
+                                Output standard exit codes. Default: --exit-code.
+--audit-and-monitor / --disable-audit-and-monitor
+                                Send results back to pyup.io for viewing on your dashboard.
+--project TEXT                  Project to associate this scan with on pyup.io.
+--save-json TEXT                Path to where output file will be placed.
+--use-installed                 Whether to use the lockfile as input to check.
+--categories TEXT               Use the specified categories from the lockfile as input to check.
+--auto-install                  Automatically install safety if not already installed.
+--scan                          Use the new scan command instead of the deprecated check command.
+```
+
+**Note**: The check command is deprecated and will be unsupported beyond 01 June 2024. In future versions, the check command will run the scan command by default. Use the `--scan` option to run the new scan command now.
+
+When using the `--scan` option, you'll need to obtain an API key from https://pyup.io to access the full vulnerability database.
+
 ## clean
 
 Uninstalls all packages not specified in Pipfile.lock.

diff --git a/docs/commands.md b/docs/commands.md
@@ -80,6 +80,17 @@ The user can provide these additional parameters:
 
 ``$ pipenv check`` checks for security vulnerabilities and asserts that [PEP 508](https://www.python.org/dev/peps/pep-0508/) requirements are being met by the project's lock file or current environment.
 
+The user can provide these additional parameters:
+
+    --auto-install — Automatically install safety if not already installed.
+
+## scan
+
+``$ pipenv scan`` scans for security vulnerabilities and checks PEP 508 markers. This is the newer version of the check command with improved functionality.
+
+The user can provide these additional parameters:
+
+    --auto-install — Automatically install safety if not already installed.
 
 ## scripts
 ``$ pipenv scripts`` will list the scripts in the current environment config.
diff --git a/news/safety-command.bugfix.rst b/news/safety-command.bugfix.rst
@@ -0,0 +1,14 @@
+Update ``check`` command to support the new ``scan`` functionality
+---------------------------------------------------------------
+
+The ``check`` command has been deprecated and will be unsupported beyond June 1, 2024.
+Instead of adding a separate ``scan`` command, we've updated the ``check`` command to include a ``--scan`` option.
+
+Key changes:
+- Added a ``--scan`` option to the ``check`` command to use the new scan functionality
+- Added a deprecation warning explaining that in future versions, ``check`` will run the scan command by default
+- Better temporary file handling using the ``tempfile`` module to ensure proper cleanup
+- More robust error handling
+
+Users are encouraged to start using the ``--scan`` option with the ``check`` command to prepare for the future change.
+This option requires users to obtain and configure an API key from https://pyup.io.
diff --git a/news/safety-extras.feature.rst b/news/safety-extras.feature.rst
@@ -0,0 +1,6 @@
+Make safety an optional dependency via extras
+
+- Removed vendored safety package from pipenv/patched
+- Added safety as an optional dependency via pipenv[safety]
+- Modified check.py to prompt for safety installation if not present
+- Safety installation will not modify user's Pipfile or lockfile
diff --git a/pipenv/cli/command.py b/pipenv/cli/command.py
@@ -495,6 +495,18 @@ def run(state, command, args):
     default="",
     help="Use the specified categories from the lockfile as input to check.",
 )
+@option(
+    "--auto-install",
+    is_flag=True,
+    default=False,
+    help="Automatically install safety if not already installed.",
+)
+@option(
+    "--scan",
+    is_flag=True,
+    default=False,
+    help="Use the new scan command instead of the deprecated check command.",
+)
 @common_options
 @system_option
 @pass_state
@@ -512,9 +524,19 @@ def check(
     project=None,
     use_installed=False,
     categories="",
+    auto_install=False,
+    scan=False,
     **kwargs,
 ):
-    """Checks for PyUp Safety security vulnerabilities and against PEP 508 markers provided in Pipfile."""
+    """DEPRECATED: Checks for PyUp Safety security vulnerabilities and against PEP 508 markers provided in Pipfile.
+
+    This command has been deprecated and will be unsupported beyond 01 June 2024.
+    Please use the 'scan' command instead, which is easier to use and more powerful.
+
+    Use the --scan option to run the new scan command instead of the deprecated check command.
+    In future versions, the check command will run the scan command by default.
+    """
+
     from pipenv.routines.check import do_check
 
     do_check(
@@ -535,6 +557,8 @@ def check(
         pypi_mirror=state.pypi_mirror,
         use_installed=use_installed,
         categories=categories,
+        auto_install=auto_install,
+        scan=scan,
     )
 
 

diff --git a/pipenv/patched/patched.txt b/pipenv/patched/patched.txt
@@ -1,2 +1 @@
 pip==24.3.1
-safety==2.3.2
diff --git a/pipenv/patched/pip/LICENSE-HEADER b/pipenv/patched/pip/LICENSE-HEADER
@@ -0,0 +1,3 @@
+SPDX-License-Identifier: MIT
+SPDX-FileCopyrightText: 2021 Taneli Hukkinen
+Licensed to PSF under a Contributor Agreement.
diff --git a/pipenv/patched/safety/LICENSE b/pipenv/patched/safety/LICENSE
diff --git a/pipenv/patched/safety/VERSION b/pipenv/patched/safety/VERSION
diff --git a/pipenv/patched/safety/__init__.py b/pipenv/patched/safety/__init__.py
diff --git a/pipenv/patched/safety/__main__.py b/pipenv/patched/safety/__main__.py
diff --git a/pipenv/patched/safety/alerts/__init__.py b/pipenv/patched/safety/alerts/__init__.py