Commit 5078b93
committed
Replace pipenv check with pip-audit
Why these changes are being introduced:
As of pipenv 2025.0.1 the use of `pipenv check` would throw
an error, indicating that the library `safety` was not installed.
It worked to run `pipenv check --auto-install` which would
temporarily install `safety`, but this was not ideal for multiple
reasons.
First, we anticipate potentially moving away from `pipenv`.
Second, it appears that `safety` is moving to a pay / subscription
model.
Third, it remains a little obfuscated what `pipenv check` is actually
doing.
As this new situation affects all builds in Github Actions CI,
we need a way to scan for vulnerabilities that ideally is not
a massive overhaul of our vulnerability scanning approach.
How this addresses that need:
`pip-audit` is a nice standalone, open-source library that
performs very similar work to `safety`.
This commit replaces `pipenv check` (which was `safety` under
the hood) with `pip-audit`.
Side effects of this change:
* Builds will be successful in Github Actions
Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/IN-12401 parent 1cac28b commit 5078b93
5 files changed
Lines changed: 923 additions & 683 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
159 | 159 | | |
160 | 160 | | |
161 | 161 | | |
| 162 | + | |
| 163 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
25 | | - | |
26 | | - | |
27 | | - | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
28 | 28 | | |
29 | 29 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
47 | | - | |
| 47 | + | |
48 | 48 | | |
49 | 49 | | |
50 | 50 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
| 27 | + | |
| 28 | + | |
27 | 29 | | |
28 | 30 | | |
0 commit comments