Addressing integration issue with Socket Firewall Free

[jgourinda-cominty]

Issue Kind:

Other

Description

Given recent Supply Chain Attacks, it seems to be critical for poetry users to be able to plug in threat mitigation tools.

Socket Firewall is freely available to the community as a simple wrapper around package managers. For npm, it's as simple as sfw npm install some_dangerous_package.

It works with bare pip and uv but not with Poetry, as explained here.

Quoting from Footnotes

Poetry has issues utilizing a proxy for package management requests. Poetry is not supported at this time.

Given how serious these supply chain attacks are, I wanted to issue this feature request, hoping to get community attention / support for this.
Are there any known alternatives currently working with poetry?

Impact

Be able to have supply chain mitigation tools around dependencies managed with poetry. pip and uv being now supported by sfw.

Workarounds

Not to my knowledge.

[jgourinda-cominty]

SocketDev/sfw-free#2

[dimbleby]

Poetry has issues utilizing a proxy for package management requests.

This is not an explanation, this is currently not actionable.

You need to say what you do, what you expect to happen, what actually happens.

[jgourinda-cominty]

I am not from the Socket team so I personally cannot give more details about why it's not working.

But having production systems managed via poetry I am ready to help start communication.

Quoting from the issue asking about Poetry support

Would be happy to help Poetry understand how we use proxying.

@bmeck would you mind giving more details ?