feat: add support for environment variable PIP_AUDIT_IGNORE_VULN to override the command-line option of the same name

[jenstroeger]

Closes #948

Leaving this as a draft for now: I’ll need to add tests and documentation, but this one-liner might suffice? The value for the new environment variable would be a space separated list of vulnerabilities.

I’m a bit torn about the name: the command-line argument can be repeated so --ignore-vuln (singular) makes sense. In contrast, the environment variable takes one or more IDs so it should be PIP_AUDIT_IGNORE_VULNS — but that would conflict with the command-line arg’s name. Thoughts?

[woodruffw]

In contrast, the environment variable takes one or more IDs so it should be PIP_AUDIT_IGNORE_VULNS — but that would conflict with the command-line arg’s name. Thoughts?

I'm okay with plural -- we don't need perfect correspondence with the flag when doing so would be confusing to users (like here with plurals) 🙂

[woodruffw]

One thing that's worth checking here is to see how the environment behaves when the user also passes options as flags: I would expect the flags to take precedence (and for the environment to be ignored), but we should confirm that argparse does that instead of something weird in append mode.

[jenstroeger]

I updated the PR.

One thing that's worth checking here is to see how the environment behaves when the user also passes options as flags: I would expect the flags to take precedence (and for the environment to be ignored), but we should confirm that argparse does that instead of something weird in append mode.

Alas, that’s not how append behaves: the command line args are appended to the default list provided by the environment variable (docs). If that’s ok then I think it ought to be documented properly, or else if we want to change that behavior then we’d add a custom Action to change append’s default behavior or expand the code itself a bit after the args have been parsed. What’s your desired command-line args behavior here?

[gcomneno]

I’ve opened #1007 implementing the precedence behavior discussed here.

It keeps the change small and focused: --ignore-vuln takes precedence over PIP_AUDIT_IGNORE_VULNS, and the environment variable is only used when the flag isn’t provided.

Happy to adjust if a different precedence is preferred 🙂