🛡️Automatically gatekeep the addition of insecure packages.

[galenseilis]

I'm just learning about Rye, and so far I am really impressed, so apologies in advance if I have missed this in the documentation.

Something that would be a pretty big deal for my team is automatically gatekeeping package installation. Installing secure packages should be a default, so my broad suggestion is to automate gatekeeping the installation of packages based on whether they have known security issues.

From a user's perspective it might look something like this:

$ rye add <badpackage>
The package <badpackage> has a security advisory on it, and has been blocked from installation. See <helpful_link> for more information. To override this safety mechanism, use the `-F` flag to force install the package. We do not recommend this in general.

This is not something I know a lot about, so I regret to say I don't have a lot of advice about implementation. Security is not my specialty. I'm also only a baby rustacean so my ability to contribute to the Rust part is pretty limited right now (e.g. See A Rust Implementation of a Simple Car DES for an example).

But here's a few things to look into (for what its worth):

• pip-audit uses the Python packaging advisory database. Maybe integration with pip-audit is possible? Or more directly accessing the advisory database?
• Safety-DB appears to have a pretty extensive list of security advisories.
• Looks like numerous other advisory databases are listed at the Open Source Vulnerability format page.
• Here is the advisory database by the Python Software Foundation.

I'd be happy to chat about this more. It isn't fully clarified idea, but I am happy to iterate and be kept in the loop for feedback.