Description
What's the problem this feature will solve?
Pip-compile users may consider a package to be "unsafe" to pin for a variety of reasons: e.g. necessary security patches, bloated dependency chains, multiple providers of the same python package, etc. Currently, there is no option to customize the requirements.txt comment indicating a package is unsafe. They all have the same header:
# The following packages are considered to be unsafe in a requirements file:
# opencv-python
From just this information, it's unclear why opencv-python is unsafe. Is there a security vulnerability? Or is a different reason as listed above?
Describe the solution you'd like
Ideally, each package can explain why it was excluded. As one example:
pip-compile --no-allow-unsafe \
--unsafe-package "opencv-python # has many providers such as opencv-python-headless, opencv-contrib-python, etc. so no need to force a more bloated option" \
--unsafe-package "another-package # with it's reason for exclusion"Alternative solutions
It would also make sense if an --exclude option was present instead, which generates the heading:
# The following packages are listed as dependencies, but explicitly excluded from this requirements file:
# package-a
Or something similar. I am filing this request under allow-unsafe instead of an additional --exclude flag since #333 is marked as closed with the suggestion people use this instead.
Activity