Support for constraints file?

[chris-x86-64]

• safety version: 1.8.1 (latest at the moment)
• Python version: 3.6.2
• Operating System: Debian 8 (Docker container)

Description

This is a feature suggestion.
My project has a constraints file (i.e. constraints.txt) which pins the libraries' versions.
I was wondering if there's a plan to support constraints, e.g.

safety check -r requirements.txt -c constraints.txt

What I Did

In the meantime, I'm working it around by actually installing the requirements and then running safety with stdin mode:

pip install -r requirements.txt -c constraints.txt 
pip freeze | safety check --stdin

Nice project. Cheers!

[rafaelpivato]

This sounds indeed like a great idea. Good to know you did find a workaround! 🎉

[stevecj]

Installing the requirements is an awkward workaround when there are both development and production packages. Development dependencies are generally included in the frozen constraints.txt, even though they do not need to be checked.

Ideally, packages to scan would be determined by following the dependency tree from packages in requirements.txt, then versions of those would be determined from the frozen constraints file.

In order for the dependency tree to be deterministic, I think that either all of the packages in that tree need to be installed and match frozen versions in the constraints file (which is fine with me) or after each package is identified, its version is immediately resolved using the constraints (prior to trying to descend into that package's sub-dependencies).

[dylanpulver]

duplicate of #507