Supplying vulnerability-based constraints to the resolution process

+1, IMHO vulnerability data are very valuable information for users - users should be aware of possible security implications of software they are consuming.

When @dstufft and I discussed the approach mentioned in this topic, Donald had a nice idea - first just print warnings for users. That could be very nice starting point for pip - first, providing vulnerability information to users and then, if they want to avoid vulnerabilities, they can do so by turning on resolution process that would consider vulnerabilities.

Thank you. This topic was also raised with Thoth cloud based resolver in Thoth - an enhanced server-side resolution offered to the Python community. Having this standardised could be nice.

2 Likes