Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add custom comment to excluded "unsafe" package #2151

Open
ntjess opened this issue Dec 22, 2024 · 2 comments
Open

Add custom comment to excluded "unsafe" package #2151

ntjess opened this issue Dec 22, 2024 · 2 comments
Labels
question User question

Comments

@ntjess
Copy link

ntjess commented Dec 22, 2024

What's the problem this feature will solve?

Pip-compile users may consider a package to be "unsafe" to pin for a variety of reasons: e.g. necessary security patches, bloated dependency chains, multiple providers of the same python package, etc. Currently, there is no option to customize the requirements.txt comment indicating a package is unsafe. They all have the same header:

# The following packages are considered to be unsafe in a requirements file:
# opencv-python

From just this information, it's unclear why opencv-python is unsafe. Is there a security vulnerability? Or is a different reason as listed above?

Describe the solution you'd like

Ideally, each package can explain why it was excluded. As one example:

pip-compile --no-allow-unsafe \
    --unsafe-package "opencv-python  # has many providers such as  opencv-python-headless, opencv-contrib-python, etc. so no need to force a more bloated option" \
    --unsafe-package "another-package  # with it's reason for exclusion"

Alternative solutions

It would also make sense if an --exclude option was present instead, which generates the heading:

# The following packages are listed as dependencies, but explicitly excluded from this requirements file:
# package-a

Or something similar. I am filing this request under allow-unsafe instead of an additional --exclude flag since #333 is marked as closed with the suggestion people use this instead.
@webknjaz
Copy link
Member

The solution is to list your direct deps in a .in file instead of the command-line. The command-line args don't usually get complicated processing, but the input files would have that. The resulting constraints .txt probably shouldn't contain these comments anyway. The input file is the right place for those comments.

@webknjaz webknjaz added the question User question label Dec 23, 2024
@ntjess
Copy link
Author

ntjess commented Dec 23, 2024

Thanks for the reply. Can you provide a complete example? Hopefully this explains my confusion:

Suppose I want to install package A, which relies on opencv-python. However, I prefer to use opencv-python-headless for the reasons mentioned in the issue. I can do this:

# Contents of `requirements.in`
opencv-python-headless
# I want all of package-a's normal dependencies, *except* opencv-python
package-a

How do I also specify the excluded packages in the way you recommend? Or do you mean I should re-list all deps of package-a except opencv-python in a separate requirements.in?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question User question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webknjaz @ntjess