Post Syndicated from original https://lwn.net/Articles/904197/

A tool to discover known security vulnerabilities in the Python packages installed on
a system or required by a project, called pip-audit, was recently
discussed on the Python discussion
forum. The developers of pip-audit raised
the idea of adding the functionality directly into the pip package installer, rather than
keeping it as a separately installable tool. While the functionality provided by
pip-audit was seen as a clear benefit to the ecosystem, moving it
inside the pip “tent” was not as overwhelmingly popular. It is not obvious
that auditing is part of the role that the package
installer should play.