Skip to content

uv audit #770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AdrianSosic wants to merge 5 commits into
base: main
Choose a base branch
from
Open

uv audit #770

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a97706a
Switch from pip-audit to uv audit
AdrianSosic Mar 30, 2026
28414f1
Re-enable audit ignore mechanism
AdrianSosic Apr 8, 2026
0a697f7
Only fail on direct dependency vulnerabilities
AdrianSosic Apr 8, 2026
88c643f
Adjust version pins
AdrianSosic Apr 8, 2026
65ddbf1
Update CHANGELOG.md
AdrianSosic Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ jobs:
id: setup-python
with:
python-version: ${{ matrix.py-version.semantic }}
- name: Run pip-audit
- name: Run uv audit
run: |
pip install tox-uv
tox -e audit-${{ matrix.py-version.tox }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/regular.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ jobs:
id: setup-python
with:
python-version: ${{ matrix.py-version.semantic }}
- name: Run pip-audit
- name: Run uv audit
run: |
pip install tox-uv
tox -e audit-${{ matrix.py-version.tox }}
Expand Down
2 changes: 1 addition & 1 deletion CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ If you have questions or problems, simply ask for advice.
| [pytest](https://docs.pytest.org/) | testing |
| [pytest-cov](https://pytest-cov.readthedocs.io/) | measuring test coverage |
| [sphinx](https://www.sphinx-doc.org/) | generating our documentation |
| [pip-audit](https://github.com/pypa/pip-audit) | detecting vulnerabilities in dependencies |
| [uv audit](https://docs.astral.sh/uv/reference/cli/#uv-audit) | detecting vulnerabilities in dependencies |
| [tox](https://tox.wiki/) | orchestrating all the above |

Executing a specific one of these tools is easiest by using the corresponding
Expand Down
3 changes: 1 addition & 2 deletions pyproject.toml
View file
Open in desktop
Comment thread
AdrianSosic marked this conversation as resolved.
Copy link
Copy Markdown
Collaborator Author

@AdrianSosic AdrianSosic Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Scienfitz: I've had a quick look but it seems there is no straightforward way to implement your idea of auditing only primary dependencies. However, the uv audit functionality is quite new and it might exist in the future – we could even open an issue for it, what do you think?

In any case, it means there is no immediate solution for the problem at hand. So how do we want to handle secondary deps vulnerabilties for now? Manually excludes?

Copy link
Copy Markdown
Collaborator

@Scienfitz Scienfitz Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i was thinking of it a separate bash logic int he aciton not as configuraiton of uv, would be surprised if thats not possible, did you try? just need to grep the error lines and compare them with dependency anmes in toml and ignore if not there

Copy link
Copy Markdown
Collaborator Author

@AdrianSosic AdrianSosic Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, we (or claude) could hack something together, but I'm not sure if this is gonna be very robust, given that the entire audit functionality and probably also its output format isn't stable. So I'm not sure if it's really worth the (maintenance) effort or if we should rather go the official route? Regardless of the decision, let me open an issue 👍🏼

Copy link
Copy Markdown
Collaborator Author

@AdrianSosic AdrianSosic Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what I can see is that they at least have this on their agenda, which would facilitate to implement your approach:
image

Copy link
Copy Markdown
Collaborator

@Scienfitz Scienfitz Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you assess that the tool is evolving too quickly then let snot hack something

but what do we do in the meantime with the amount of errors?

Copy link
Copy Markdown
Collaborator Author

@AdrianSosic AdrianSosic Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I've now opened the issue + tried the custom script. As soon as either the feature gets implemented on uv side or their JSON output work item is completed, we can adjust once again. But for now, it seems to do the job – let's hope it's somewhat stable 🤞🏼 Let me know if I can resolve

Copy link
Copy Markdown
Collaborator

@Scienfitz Scienfitz Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmmmm I would have prefered if this only affects the action and not the entire tox command, ie its a seconds step after the uv-audit that does the additional check in bash, any reason it was added as separate python tool?

Copy link
Copy Markdown
Collaborator

@AVHopp AVHopp Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought a bit about this as well and also have to say that I am not entirely happy with a hacked script that is hard to understand and highly depends on the output format (e.g. the regex) of a tool rapidly evolving. I however also see the advantages of the test only failing for primary dependencies. I think I would prefer to have this as a two step approach: First just replace pip-audit by uv audit and then think about the best way to only fail on primary dependencies - in particular since Adrian already started the discussion on uv side, this might be redundant very soon, so I would at least wait for whatever comes out of that discussion, but this should not block this PR whose original goal was to replace the tool - NOT to change what we are auditing.

Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ Issues = "https://github.com/emdgroup/baybe/issues/"

# AUDIT NOTE: The marked packages are secondary dependencies but their versions are
# set explicitly because the otherwise installed default versions have been flagged
# for vulnerabilities by pip-audit
# for vulnerabilities by uv audit

[project.optional-dependencies]
extras = [
Expand Down Expand Up @@ -93,7 +93,6 @@ dev = [
"baybe[mypy]",
"baybe[test]",
"baybe[benchmarking]",
"pip-audit>=2.5.5",
"setuptools-scm>=7.1.0",
"tox-uv>=1.7.0",
"uv>=0.11.3",
Expand Down
19 changes: 9 additions & 10 deletions tox.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,25 +66,24 @@ commands =
mypy

[testenv:audit,audit-py{310,311,312,313}]
description = Run pip-audit
extras = dev # audit entire environment
description = Run uv audit
extras = dev # audit entire environment
setenv =
# Add pip-audit exceptions here, like:
# EXCLUDES=--ignore-vuln EXCEPTION_ID1 --ignore-vuln EXCEPTION_ID2 ...
# Add uv audit exceptions here using --ignore/--ignore-until-fixed, like:
# EXCLUDES=--ignore EXCEPTION_ID1 --ignore-until-fixed EXCEPTION_ID2 ...
commands =
python --version
pip-audit {env:EXCLUDES:}
uv audit {env:EXCLUDES:}

# This is separated from the other audit block because in 3.14 only core deps are tested
[testenv:audit-py314]
description = Run pip-audit
deps = pip-audit
description = Run uv audit
setenv =
# Add pip-audit exceptions here, like:
# EXCLUDES=--ignore-vuln EXCEPTION_ID1 --ignore-vuln EXCEPTION_ID2 ...
# Add uv audit exceptions here using --ignore/--ignore-until-fixed, like:
# EXCLUDES=--ignore EXCEPTION_ID1 --ignore-until-fixed EXCEPTION_ID2 ...
commands =
python --version
pip-audit {env:EXCLUDES:}
uv audit {env:EXCLUDES:}

[testenv:docs-py310]
description = Build documentation, passing posargs to control what should be built
Expand Down
Loading
Loading