As part of my automated build, I run
pipenv check to check for security vulnerabilities.
It has recently started raising errors due to NumPy, which isn’t a dependency that I’ve installed.
$ pipenv check Creating a Pipfile for this project… Checking PEP 508 requirements… Passed! Checking installed package safety… 36810: numpy <=1.16.0 resolved (1.15.4 installed)! An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.