You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Be sure to check the existing issues (both open and closed!), and make sure you are running the latest version of Pipenv.
Check the diagnose documentation for common issues and the PEEP list before posting! We may close your issue if it is very similar to one of them. Please be considerate and follow the PEEP process, or be on your way.
Make sure to mention your debugging experience if the documented solution failed.
Is your feature request related to a problem? Please describe.
When generating a requirements.txt file from a Pipfile, it currently does not include any --hash flags. Consequently, running pip install is vulnerable to certain supply chain attacks.
However, it does contain the index (via both -i and --extra-index-url).
Describe the solution you'd like
When generating a requirements.txt file from a Pipfile, it should include --hash on everything. That way someone running pip install on the resulting file will benefit from the enhanced security this provides.
However, it should not include the index, as it may include credentials which should not be written in plaintext. Or, at the very least, it should output it verbatim as it appears in the Pipfile, without expanding environment variables.
Describe alternatives you've considered
Today we don't use pipenv lock -r and instead have a custom solution for this.
Additional context
Add any other context or screenshots about the feature request here. It may be a good idea to mention that platform and Python version you are on.
The text was updated successfully, but these errors were encountered:
@rittneje I think perhaps your attention on this PR to help a new requirements command support would benefit having your ideas working there. See: #5013
Be sure to check the existing issues (both open and closed!), and make sure you are running the latest version of Pipenv.
Check the diagnose documentation for common issues and the PEEP list before posting! We may close your issue if it is very similar to one of them. Please be considerate and follow the PEEP process, or be on your way.
Make sure to mention your debugging experience if the documented solution failed.
Is your feature request related to a problem? Please describe.
When generating a requirements.txt file from a Pipfile, it currently does not include any
--hashflags. Consequently, runningpip installis vulnerable to certain supply chain attacks.However, it does contain the index (via both
-iand--extra-index-url).Describe the solution you'd like
When generating a requirements.txt file from a Pipfile, it should include
--hashon everything. That way someone runningpip installon the resulting file will benefit from the enhanced security this provides.However, it should not include the index, as it may include credentials which should not be written in plaintext. Or, at the very least, it should output it verbatim as it appears in the Pipfile, without expanding environment variables.
Describe alternatives you've considered
Today we don't use
pipenv lock -rand instead have a custom solution for this.Additional context
Add any other context or screenshots about the feature request here. It may be a good idea to mention that platform and Python version you are on.
The text was updated successfully, but these errors were encountered: