[ATechGuy]

Looks like a useful tool. Congrats on shipping! Many packages are installed automatically in environments like CI/CD pipelines or Dockerfiles, where interactive review and consent aren't possible. How do you plan to handle such scenarios?

[Feynmanix]

Ideally, you should use lockfiles for your CI/CD or docker. To create or update the lockfile, a developer needs to install dependencies manually first (as in `pip install X` -> `pip freeze`), at which point the checks would be executed and the user would consent.

That said, it's pretty uncommon to use lockfiles with pip, so I'm considering creating something like a plugin for poetry or uv, if there is demand?

[zahlman]

Quite a few people use requirements.txt files with pip actually. I've seen many projects that even expect end users to do so. You might not notice - exactly because they aren't packaging for PyPI.

[Feynmanix]

But before committing requirements.txt to git, they still run install locally, right?

[zahlman]

Sure, they presumably have a local dev environment where they install dependencies to test their own code.

But there are a lot of possible workflows around that. Some people might separately install things one at a time according to what they appear to need as they're developing, and then use `pip freeze` to create the `requirements.txt` file. Others might edit `requirements.txt` directly, and repeatedly re-create their environment based off that. Still others might involve any number of tools here, such as pip-tools (https://pypi.org/project/pip-tools/), pipenv (https://pypi.org/project/pipenv/), etc.

[Feynmanix]

As long as they run `pip install` locally at any point in their process before pushing to the repo, they should get the opportunity to see the pipask report.

[zahlman]

True. I was only trying to address "it's pretty uncommon to use lockfiles with pip". I should have quoted it in my first post.