Context
From Vincent's review on PR #13 — the current supply_chain_npm_install_global rule covers JS package managers (npm, pnpm, yarn, bun, deno, cnpm). Vincent asks: should we also cover pip install and other ecosystems?
What to catch
pip install outside a virtual environment (effectively a global install)pip install --user (user-level install, broader than project-scoped)gem install (Ruby)cargo install (Rust)go install (Go)
Considerations
- Python's
pip doesn't have a -g flag — it installs to the active environment by default. Detection would need a different pattern (checking for venv activation, --target, etc.).
- Each ecosystem has different conventions. May need separate rules per ecosystem.
- Start with pip since it's the most commonly used after JS package managers.
Origin
PR #13 review comment by @gewenyu99
Context
From Vincent's review on PR #13 — the current
supply_chain_npm_install_globalrule covers JS package managers (npm, pnpm, yarn, bun, deno, cnpm). Vincent asks: should we also coverpip installand other ecosystems?What to catch
pip installoutside a virtual environment (effectively a global install)pip install --user(user-level install, broader than project-scoped)gem install(Ruby)cargo install(Rust)go install(Go)Considerations
pipdoesn't have a-gflag — it installs to the active environment by default. Detection would need a different pattern (checking for venv activation,--target, etc.).Origin
PR #13 review comment by @gewenyu99