rye support for Dependency Scanning
Problem to solve
rye is a package manager for Python which supports lock files.
Rye currently uses pip-tools to download and install dependencies. For this purpose it creates two "lockfiles" (called
requirements.lock
andrequirements-dev.lock
). These are not real lockfiles but they fulfill a similar purpose until a better solution has been implemented.Whenever rye sync is called, it will update lockfiles as well as the virtualenv. If you only want to update the lockfiles, then rye lock can be used.
Right now rye
isn't supported by Dependency Scanning.
Proposal
Add the ability to parse requirements.lock
and requirements-dev.lock
files to gemnasium-python
.
This overlaps with Handle requirements.txt files produced by pip-c... (#418321),
which is about processing requirements.txt
as a lock file
(instead of having distinct names for lock files).
gemnasium-python
should parse lock files without running any Python command.
As a result, the scan should be scan and compatible with any version of Python.