Issue: pipenv check fails due to NumPy


#1

As part of my automated build, I run pipenv check to check for security vulnerabilities.

It has recently started raising errors due to NumPy, which isn’t a dependency that I’ve installed.

$ pipenv check
Creating a Pipfile for this project…
Checking PEP 508 requirements…
Passed!
Checking installed package safety…
36810: numpy <=1.16.0 resolved (1.15.4 installed)!
An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.

See https://travis-ci.com/craiga/travis-numpy-test and https://github.com/craiga/travis-numpy-test for more info.


#2

What does pipenv check? If it is checking all the installed packages, then it makes sense, as NumPy is pre-installed.


#3

I’m not 100% sure, but I think Pipenv normally checks what’s installed in the Python virtual environment it’s managing under the hood. But because Travis runs Python code in a virtual environment, Pipenv is using that virtual environment which has NumPy installed.


#4

Answering this made me remember that there’s an environment variable you can set to work around this issue.

PIPENV_IGNORE_VIRTUALENVS=1

This will stop Pipenv from re-using Travis’ virtual environment.


#5

That will of course not work when you want Travis to define the virtualenv for you, making it easy to test with all python versions that Travis supports out of the box.

Another fix is to instruct pipenv to ignore this specific vulnerability: pipenv check --ignore 36810

The best fix is of course that Travis updates the NumPy provided in the image to a non-vulnerable version.