[scsh]

I like the idea of having vuln reporting in the installation step. Looking at the examples provided though, I think the vulnerability reporting could use a bit more information.

Using the fastapi example, it points to CVE-2024-24762 which, if you're looking at the NIST or CVE pages for it, doesn't give the clearest info for how to resolve.

Maybe consider linking to advisories in the Python Packaging Advisory Database when possible, like pip-audit does. https://osv.dev/vulnerability/PYSEC-2024-38 is a lot clearer that fastapi is affected and which version fixed the vulnerability.

[Feynmanix]

It's not visible on the screenshot for some reason, but if you run the latest version, you'll notice a little underline under the CVE mention. It's actually a hyperlink (Cmd+click in iTerm2) that leads to https://osv.dev/vulnerability/CVE-2024-24762 where you can find out more.

Or are you saying you'd rather it leads to https://osv.dev/vulnerability/PYSEC-2024-38 rather than https://osv.dev/vulnerability/CVE-2024-24762 ?

[scsh]

Yes in this particular case, where I'm trying to install fastapi, I'd rather it direct me to https://osv.dev/vulnerability/PYSEC-2024-38 which is more fastapi specific and mentions that the fixed version of fast api is 0.109.1. Or even better, give the link and print the fixed version from the advisory yaml https://github.com/pypa/advisory-database/blob/main/vulns/fa...

[Feynmanix]

I'll have a look at that

[simonw]

Can it spit out a visible URL for those of us who use the default macOS terminal app?

[Feynmanix]

Yes, I can! Will be in the next release