Skip to content

Deprecation Notice: Make safety an optional dependency via extras #6365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Apr 22, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ jobs:
run: |
git submodule sync
git submodule update --init --recursive
python -m pip install -e . --upgrade
python -m pip install -e .[safety] --upgrade
pipenv install --deploy --dev --python=${{ matrix.python-version }}
- name: Run pypiserver without pipenv (Python 3.9-3.11)
run: |
Expand Down
28 changes: 27 additions & 1 deletion docs/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,38 @@ pipenv [OPTIONS] COMMAND [ARGS]...

## check

Checks for PyUp Safety security vulnerabilities and against PEP 508 markers provided in Pipfile.
Checks and scans project for PyUp Safety security vulnerabilities and against PEP 508 markers.

```bash
pipenv check [OPTIONS]
```

Options:
```
--db TEXT Path or URL to a PyUp Safety vulnerabilities database.
--ignore, -i TEXT Ignore specified vulnerability during PyUp Safety checks.
--output [screen|text|json|bare]
Specifies the output format for the PyUp Safety check.
--key TEXT Safety API key from PyUp.io for scanning dependencies against a live
vulnerabilities database.
--quiet Quiet standard output, except vulnerability report.
--policy-file TEXT Define the policy file to be used.
--exit-code / --continue-on-error
Output standard exit codes. Default: --exit-code.
--audit-and-monitor / --disable-audit-and-monitor
Send results back to pyup.io for viewing on your dashboard.
--project TEXT Project to associate this scan with on pyup.io.
--save-json TEXT Path to where output file will be placed.
--use-installed Whether to use the lockfile as input to check.
--categories TEXT Use the specified categories from the lockfile as input to check.
--auto-install Automatically install safety if not already installed.
--scan Use the new scan command instead of the deprecated check command.
```

**Note**: The check command is deprecated and will be unsupported beyond 01 June 2024. In future versions, the check command will run the scan command by default. Use the `--scan` option to run the new scan command now.

When using the `--scan` option, you'll need to obtain an API key from https://pyup.io to access the full vulnerability database.

## clean

Uninstalls all packages not specified in Pipfile.lock.
Expand Down
11 changes: 11 additions & 0 deletions docs/commands.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,17 @@ The user can provide these additional parameters:

``$ pipenv check`` checks for security vulnerabilities and asserts that [PEP 508](https://www.python.org/dev/peps/pep-0508/) requirements are being met by the project's lock file or current environment.

The user can provide these additional parameters:

--auto-install — Automatically install safety if not already installed.

## scan

``$ pipenv scan`` scans for security vulnerabilities and checks PEP 508 markers. This is the newer version of the check command with improved functionality.

The user can provide these additional parameters:

--auto-install — Automatically install safety if not already installed.

## scripts
``$ pipenv scripts`` will list the scripts in the current environment config.
14 changes: 14 additions & 0 deletions news/safety-command.bugfix.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
Update ``check`` command to support the new ``scan`` functionality
---------------------------------------------------------------

The ``check`` command has been deprecated and will be unsupported beyond June 1, 2024.
Instead of adding a separate ``scan`` command, we've updated the ``check`` command to include a ``--scan`` option.

Key changes:
- Added a ``--scan`` option to the ``check`` command to use the new scan functionality
- Added a deprecation warning explaining that in future versions, ``check`` will run the scan command by default
- Better temporary file handling using the ``tempfile`` module to ensure proper cleanup
- More robust error handling

Users are encouraged to start using the ``--scan`` option with the ``check`` command to prepare for the future change.
This option requires users to obtain and configure an API key from https://pyup.io.
6 changes: 6 additions & 0 deletions news/safety-extras.feature.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Make safety an optional dependency via extras

- Removed vendored safety package from pipenv/patched
- Added safety as an optional dependency via pipenv[safety]
- Modified check.py to prompt for safety installation if not present
- Safety installation will not modify user's Pipfile or lockfile
26 changes: 25 additions & 1 deletion pipenv/cli/command.py
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,18 @@ def run(state, command, args):
default="",
help="Use the specified categories from the lockfile as input to check.",
)
@option(
"--auto-install",
is_flag=True,
default=False,
help="Automatically install safety if not already installed.",
)
@option(
"--scan",
is_flag=True,
default=False,
help="Use the new scan command instead of the deprecated check command.",
)
@common_options
@system_option
@pass_state
Expand All @@ -512,9 +524,19 @@ def check(
project=None,
use_installed=False,
categories="",
auto_install=False,
scan=False,
**kwargs,
):
"""Checks for PyUp Safety security vulnerabilities and against PEP 508 markers provided in Pipfile."""
"""DEPRECATED: Checks for PyUp Safety security vulnerabilities and against PEP 508 markers provided in Pipfile.

This command has been deprecated and will be unsupported beyond 01 June 2024.
Please use the 'scan' command instead, which is easier to use and more powerful.

Use the --scan option to run the new scan command instead of the deprecated check command.
In future versions, the check command will run the scan command by default.
"""

from pipenv.routines.check import do_check

do_check(
Expand All @@ -535,6 +557,8 @@ def check(
pypi_mirror=state.pypi_mirror,
use_installed=use_installed,
categories=categories,
auto_install=auto_install,
scan=scan,
)


Expand Down
1 change: 0 additions & 1 deletion pipenv/patched/patched.txt
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
pip==24.3.1
safety==2.3.2
3 changes: 3 additions & 0 deletions pipenv/patched/pip/LICENSE-HEADER
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
SPDX-License-Identifier: MIT
SPDX-FileCopyrightText: 2021 Taneli Hukkinen
Licensed to PSF under a Contributor Agreement.
11 changes: 0 additions & 11 deletions pipenv/patched/safety/LICENSE

This file was deleted.

1 change: 0 additions & 1 deletion pipenv/patched/safety/VERSION

This file was deleted.

11 changes: 0 additions & 11 deletions pipenv/patched/safety/__init__.py

This file was deleted.

8 changes: 0 additions & 8 deletions pipenv/patched/safety/__main__.py

This file was deleted.

42 changes: 0 additions & 42 deletions pipenv/patched/safety/alerts/__init__.py

This file was deleted.

Loading