Support for optional dependencies/extras when auditing from pyproject.toml

[albertodiazdorado]

Pre-submission checks

• I am not reporting a new vulnerability or requesting a new vulnerability identifier. These must be reported or managed via upstream dependency sources or services, not this repository.
• I agree to follow the PSF Code of Conduct.
• I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

Disclaimer: This is only a question. I looked for a slack or discord space but could not find any, hence I am coming here. Please let me know if there's a better way of asking questions.

Is it possible, somehow, to have pip-audit scan not only the dependencies of my project as per pyproject.toml

[project]
dependencies = [
  # ...
]

But also include my dev dependencies?

[project.optional-dependencies]
dev = [
  # ...
]

For reference, tools like liccheck (for license checking) allow users to include dev dependencies in the analysis like this:

[tool.liccheck]
authorized_licenses = [
    "bsd",
    "mit",
]
dependencies = true
optional_dependencies = ["dev"]

Describe the solution you'd like

I'd love to be able to include dev dependencies in my scans

Additional context

No response

[woodruffw]

Disclaimer: This is only a question. I looked for a slack or discord space but could not find any, hence I am coming here. Please let me know if there's a better way of asking questions.

We don't use any of these at the moment, so opening here is fine! Thanks for filling out the issue fields, we appreciate it.

Is it possible, somehow, to have pip-audit scan not only the dependencies of my project as per pyproject.toml

Hmm, I don't believe we currently support this, but supporting it seems useful.

Do you have any proposals for an interface here? At the moment we only support pyproject.toml in "directory" mode (e.g. pip-audit .), so we'd probably need one or more flags or another way to signal the "extra" group to include in the audit.

One thing we could potentially do is use the same syntax as pip, e.g. pip-audit .[dev] to mean "audit the current directory, include the dev extra". I'd need to think a bit more about how feasible that is, but it'd probably be minimally disruptive + consistent with pip; I'm curious if you have other ideas as well 🙂

(Separately: you probably already know this, but you can get the equivalent of this behavior by doing pip install .[dev] && pip-audit within your local environment.)

[albertodiazdorado]

I believe that the best solution would be to have something like what liccheck already does. However, that's only possible once you can configure pip-audit via pyproject.toml and we are not there yet. We'll have to wait until there's some progress on #694

If I was the maintainer, I wouldn't want to implement the command flag now (i.e. pip-audit .[dev] ) only to have it become obsolete as soon as there is pip-audit configuration via pyproject.toml. So I would send the question back to you: how important do you consider providing pip-audit configuration via pyproject.toml? If you consider that important, then I would wait and do nothing regarding the scan of dev dependencies. If you consider that pyproject.toml support is not important and has very low priority in the roadmap, then I do like your proposal for the API :)

(Separately: you probably already know this, but you can get the equivalent of this behavior by doing pip install .[dev] && pip-audit within your local environment.)

That's what I am planning to do for the time being. However, that's a very implicit solution that depends on previous shell commands, and since I am planning to use pip-audit in a pipeline, I'd rather have something more explicit & robust.

Thank you for the feedback!

[woodruffw]

I believe that the best solution would be to have something like what liccheck already does. However, that's only possible once you can configure pip-audit via pyproject.toml and we are not there yet. We'll have to wait until there's some progress on #694

I'm not super familiar with liccheck, do you have a resource I can read on it?

Separately, I'm not sure this should be blocked on whatever we generalize in #694 🙂 -- that issue is about fully generalizing pip-audit's various CLI flags into a pip.conf-esque configuration, while this more constrained to something that already has a well-known idiom in pip (concretely, .[extra] is the "standard" syntax for adding optional dependencies during installation).

So TL;DR: I consider configuration important, but also "wiggly"/separate enough to not be worth blocking this on. Since pip already has a standard-ish syntax for this (and we already try to mimic pip in many ways), we should go ahead and just use the .[extra] syntax I think.

[albertodiazdorado]

I'm not super familiar with liccheck, do you have a resource I can read on it?

Sure, just go to the section "How to use" in the README and have a look at the example pyproject.toml. I am copying the relevant parts here. The main thing is the line optional_dependencies = ["test"]

[tool.liccheck]
authorized_licenses = [
    "bsd",
    "apache",
    "apache 2.0",
    "mit",
]
unauthorized_licenses = [
    "gpl v3",
]
dependencies = true # to load [project.dependencies]
optional_dependencies = ["test"] # to load extras from [project.optional-dependencies]

---

Regarding your suggestion pip-audit .[dev], I find it plenty reasonable. I don't think I will find time to implement it short term, sadly, but if I find time I could try to help.

[woodruffw]

Related to this: we should also support PEP 735: https://peps.python.org/pep-0735/