Replies: 1 comment
-
I think adding this to Poetry itself it out of scope (see #994 (comment)) and the dev team would prefer plugins. That said, you can create a plugin that listens for a specific command event such as The disadvantage is that it would double the IO of installation (unless the plugin can cache files the way Poetry expects). To get around this, the event system probably needs to be fleshed out more with Poetry's own events, such as If finer-grain events were added, I'd probably contribute the sanitation step to |
Beta Was this translation helpful? Give feedback.
-
Hi all,
I was wondering whether the poetry team has thoughts about adding a pre-add or pre-install sanitation step where one could run any audit tool for SAST. With typosquatting and account hijacking becoming more tangible and serious nowadays, moving ahead with the current way of installing packages would induce a threat for every user.
Discussions like https://github.com/orgs/python-poetry/discussions/9252 and https://github.com/orgs/python-poetry/discussions/9262 sparked some thoughts and I was really hoping to see effort on the side of PyPi and package installers such as Poetry to secure the ecosystem.
The question would also phrased in the setting: is this something the package/dependency manager should be responsible for and in to which extend?
Open for debate:
Here i'm open for suggestions before moving on to setup a POC and submit a PR for this idea.
Beta Was this translation helpful? Give feedback.
All reactions