Better support for transitive deps in Python (requirements.txt)
oliverchang opened this issue · comments
Currently requirements.txt
parsing does not resolve the full dependency graph.
One option here may be to integrate pip-audit
into this tool (though that introduces an external dependency from a different ecosystem)
Another option would be to require hashes to be specified, this ensures that the requirements file is fully resolved (because all dependencies must have hashes specified) and this dependency resolution is unnecessary.
Or use pip-compile
which introduces pip-tools as a dependency instead https://github.com/jazzband/pip-tools @oliverchang
Maybe deps.dev can be used here.
@oliverchang