option to only parse declarative dependency specifications (eg not execute setup.py) #891

graingert · 2019-09-12T10:16:24Z

Currently when executing pip-compile you are forced to download and execute untrusted python code (setup.py), however it's possible to determine dependency versions without executing setup.py for wheel packages and those using setup.cfg declarative metadata https://setuptools.readthedocs.io/en/latest/setuptools.html#configuring-setup-using-setup-cfg-files

There should be an option to only parse dependencies from declarative sources eg wheel and setup.cfg. and never execute any "setup.py" files

atugushev · 2019-09-15T07:18:19Z

Is there an option in pip to achieve this when you install a package?

atugushev · 2023-07-06T22:36:37Z

@graingert does pip-compile --pip-args '--only-binary :all:' resolve the issue?

webknjaz · 2023-07-08T22:48:41Z

I wonder if this could build on top of #1681 later on.

atugushev added the feature Request for a new feature label Sep 15, 2019

atugushev added the needs discussion Need some more discussion label Sep 19, 2019

atugushev added the awaiting response Awaiting response from a contributor label Jan 9, 2020

AndydeCleyre mentioned this issue Mar 21, 2022

Use installed packages to solve dependency graph #1596

Closed

Provide feedback