From 3d2554586a9c41989318bd02817e6842d4c55046 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 22 Oct 2024 14:18:22 -0400 Subject: [PATCH 1/6] drop 3.8, add 3.13 Signed-off-by: William Woodruff --- .github/workflows/ci.yml | 2 +- .github/workflows/lint.yml | 4 ++-- pyproject.toml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1282b3eb..bfb98ddc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,11 +13,11 @@ jobs: strategy: matrix: python: - - "3.8" - "3.9" - "3.10" - "3.11" - "3.12" + - "3.13" runs-on: ubuntu-latest steps: - uses: actions/checkout@v4.2.1 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 16ed1b8a..606e8f9a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/setup-python@v5 with: - python-version: "3.8" + python-version: "3.9" cache: "pip" cache-dependency-path: pyproject.toml @@ -31,7 +31,7 @@ jobs: # in this check, since Python can change the `--help` rendering in # `argparse` between major versions. with: - python-version: "3.8" + python-version: "3.9" cache: "pip" cache-dependency-path: pyproject.toml diff --git a/pyproject.toml b/pyproject.toml index f58fd676..9d582e03 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -19,11 +19,11 @@ classifiers = [ "License :: OSI Approved :: Apache Software License", "Programming Language :: Python :: 3 :: Only", "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", + "Programming Language :: Python :: 3.13", "Topic :: Security", ] dependencies = [ @@ -36,9 +36,9 @@ dependencies = [ "requests >= 2.31.0", "rich>=12.4", "toml>=0.10", - "platformdirs>=4.2.0" + "platformdirs>=4.2.0", ] -requires-python = ">=3.8" +requires-python = ">=3.9" [project.optional-dependencies] test = [ From 9fbd4213d278db7b95e895ed27571c02d2d0c366 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 22 Oct 2024 14:19:06 -0400 Subject: [PATCH 2/6] MSPV Signed-off-by: William Woodruff --- CONTRIBUTING.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 89be92bd..7ccbc291 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -8,7 +8,7 @@ as well as performing common development tasks. ## Requirements -`pip-audit`'s only development environment requirement *should* be Python 3.8 +`pip-audit`'s only development environment requirement *should* be Python 3.9 or newer. Development and testing is actively performed on macOS and Linux, but Windows and other supported platforms that are supported by Python should also work. diff --git a/README.md b/README.md index ba1bd68c..06f85903 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ with support from Google. This is not an official Google or Trail of Bits produc ## Installation -`pip-audit` requires Python 3.8 or newer, and can be installed directly via `pip`: +`pip-audit` requires Python 3.9 or newer, and can be installed directly via `pip`: ```bash python -m pip install pip-audit From 7e64b122eefdca850104af9ca32877f37bc375d7 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 22 Oct 2024 14:20:20 -0400 Subject: [PATCH 3/6] `make reformat` Signed-off-by: William Woodruff --- pip_audit/_audit.py | 2 +- pip_audit/_cli.py | 3 ++- pip_audit/_dependency_source/interface.py | 2 +- pip_audit/_dependency_source/pip.py | 2 +- pip_audit/_dependency_source/pyproject.py | 9 +++++---- pip_audit/_dependency_source/requirement.py | 3 ++- pip_audit/_fix.py | 3 ++- pip_audit/_format/columns.py | 3 ++- pip_audit/_service/interface.py | 3 ++- pip_audit/_state.py | 3 ++- pip_audit/_subprocess.py | 2 +- pip_audit/_virtual_env.py | 2 +- 12 files changed, 22 insertions(+), 15 deletions(-) diff --git a/pip_audit/_audit.py b/pip_audit/_audit.py index d977dbe2..b13cf91c 100644 --- a/pip_audit/_audit.py +++ b/pip_audit/_audit.py @@ -5,8 +5,8 @@ from __future__ import annotations import logging +from collections.abc import Iterator from dataclasses import dataclass -from typing import Iterator from pip_audit._dependency_source import DependencySource from pip_audit._service import Dependency, VulnerabilityResult, VulnerabilityService diff --git a/pip_audit/_cli.py b/pip_audit/_cli.py index 85cc02c9..c6bc7b91 100644 --- a/pip_audit/_cli.py +++ b/pip_audit/_cli.py @@ -9,9 +9,10 @@ import logging import os import sys +from collections.abc import Iterator from contextlib import ExitStack, contextmanager from pathlib import Path -from typing import IO, Iterator, NoReturn, cast +from typing import IO, NoReturn, cast from pip_audit import __version__ from pip_audit._audit import AuditOptions, Auditor diff --git a/pip_audit/_dependency_source/interface.py b/pip_audit/_dependency_source/interface.py index 74e1794d..9f07739a 100644 --- a/pip_audit/_dependency_source/interface.py +++ b/pip_audit/_dependency_source/interface.py @@ -6,7 +6,7 @@ from __future__ import annotations from abc import ABC, abstractmethod -from typing import Iterator +from collections.abc import Iterator from pip_audit._fix import ResolvedFixVersion from pip_audit._service import Dependency diff --git a/pip_audit/_dependency_source/pip.py b/pip_audit/_dependency_source/pip.py index 52667547..4404732f 100644 --- a/pip_audit/_dependency_source/pip.py +++ b/pip_audit/_dependency_source/pip.py @@ -7,8 +7,8 @@ import os import subprocess import sys +from collections.abc import Iterator, Sequence from pathlib import Path -from typing import Iterator, Sequence import pip_api from packaging.version import InvalidVersion, Version diff --git a/pip_audit/_dependency_source/pyproject.py b/pip_audit/_dependency_source/pyproject.py index 30d2767c..a3e7313f 100644 --- a/pip_audit/_dependency_source/pyproject.py +++ b/pip_audit/_dependency_source/pyproject.py @@ -6,9 +6,9 @@ import logging import os +from collections.abc import Iterator from pathlib import Path from tempfile import NamedTemporaryFile, TemporaryDirectory -from typing import Iterator import toml from packaging.requirements import Requirement @@ -81,9 +81,10 @@ def collect(self) -> Iterator[Dependency]: # dependency resolution now, we can think about doing `pip install ` # regardless of whether the project has a `pyproject.toml` or not. And if it doesn't # have a `pyproject.toml`, we can raise an error if the user provides `--fix`. - with TemporaryDirectory() as ve_dir, NamedTemporaryFile( - dir=ve_dir, delete=False - ) as req_file: + with ( + TemporaryDirectory() as ve_dir, + NamedTemporaryFile(dir=ve_dir, delete=False) as req_file, + ): # We use delete=False in creating the tempfile to allow it to be # closed and opened multiple times within the context scope on # windows, see GitHub issue #646. diff --git a/pip_audit/_dependency_source/requirement.py b/pip_audit/_dependency_source/requirement.py index b19f3047..96d3f4b5 100644 --- a/pip_audit/_dependency_source/requirement.py +++ b/pip_audit/_dependency_source/requirement.py @@ -7,10 +7,11 @@ import logging import re import shutil +from collections.abc import Iterator from contextlib import ExitStack from pathlib import Path from tempfile import NamedTemporaryFile, TemporaryDirectory -from typing import IO, Iterator +from typing import IO from packaging.specifiers import SpecifierSet from packaging.utils import canonicalize_name diff --git a/pip_audit/_fix.py b/pip_audit/_fix.py index 488764c9..3ae19ed5 100644 --- a/pip_audit/_fix.py +++ b/pip_audit/_fix.py @@ -5,8 +5,9 @@ from __future__ import annotations import logging +from collections.abc import Iterator from dataclasses import dataclass -from typing import Any, Iterator, cast +from typing import Any, cast from packaging.version import Version diff --git a/pip_audit/_format/columns.py b/pip_audit/_format/columns.py index 988fc35d..262a2f08 100644 --- a/pip_audit/_format/columns.py +++ b/pip_audit/_format/columns.py @@ -4,8 +4,9 @@ from __future__ import annotations +from collections.abc import Iterable from itertools import zip_longest -from typing import Any, Iterable, cast +from typing import Any, cast from packaging.version import Version diff --git a/pip_audit/_service/interface.py b/pip_audit/_service/interface.py index 6aefcd07..b02942ce 100644 --- a/pip_audit/_service/interface.py +++ b/pip_audit/_service/interface.py @@ -6,9 +6,10 @@ from __future__ import annotations from abc import ABC, abstractmethod +from collections.abc import Iterator from dataclasses import dataclass, replace from datetime import datetime -from typing import Any, Iterator, NewType +from typing import Any, NewType from packaging.utils import canonicalize_name from packaging.version import Version diff --git a/pip_audit/_state.py b/pip_audit/_state.py index 1f7f2938..abd5ae81 100644 --- a/pip_audit/_state.py +++ b/pip_audit/_state.py @@ -7,8 +7,9 @@ import logging from abc import ABC, abstractmethod +from collections.abc import Sequence from logging.handlers import MemoryHandler -from typing import Any, Sequence +from typing import Any from rich.align import StyleType from rich.console import Console, Group, RenderableType diff --git a/pip_audit/_subprocess.py b/pip_audit/_subprocess.py index 32b43885..fb021a4c 100644 --- a/pip_audit/_subprocess.py +++ b/pip_audit/_subprocess.py @@ -5,8 +5,8 @@ import os.path import subprocess +from collections.abc import Sequence from subprocess import Popen -from typing import Sequence from ._state import AuditState diff --git a/pip_audit/_virtual_env.py b/pip_audit/_virtual_env.py index d3dcc99e..c59ae530 100644 --- a/pip_audit/_virtual_env.py +++ b/pip_audit/_virtual_env.py @@ -7,10 +7,10 @@ import json import logging import venv +from collections.abc import Iterator from os import PathLike from tempfile import NamedTemporaryFile, TemporaryDirectory, gettempdir from types import SimpleNamespace -from typing import Iterator from packaging.version import Version From 78ee11ea787f6cc55b7b67d86fbc21a4f86fef31 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 22 Oct 2024 14:22:49 -0400 Subject: [PATCH 4/6] CHANGELOG: record changes Signed-off-by: William Woodruff --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3bc2182d..7574bb2a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,9 @@ All versions prior to 0.0.9 are untracked. caching directory idioms (e.g. XDG) ([#814](https://github.com/pypa/pip-audit/pull/814)) +* The minimum version of Python is now 3.9 + ([#846](https://github.com/pypa/pip-audit/pull/846)) + ### Fixed * Auditing a fully-pinned requirements file with `--disable-pip` now allows for From fccf79dcb10a5f4e5c0eec0b79b0e9bfe3d8cf8d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 22 Oct 2024 14:24:14 -0400 Subject: [PATCH 5/6] ci: add all-tests-pass Signed-off-by: William Woodruff --- .github/workflows/ci.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bfb98ddc..46a1e9f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,3 +30,17 @@ jobs: - name: test run: make test PIP_AUDIT_EXTRA=test + + all-tests-pass: + if: always() + + needs: + - test + + runs-on: ubuntu-latest + + steps: + - name: check test jobs + uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 + with: + jobs: ${{ toJSON(needs) }} From bfb94ac26d8eb0b24831019d484b9d5634925b87 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 22 Oct 2024 14:27:03 -0400 Subject: [PATCH 6/6] workflows: hash-pin everywhere Signed-off-by: William Woodruff --- .github/workflows/ci.yml | 4 ++-- .github/workflows/docs.yml | 2 +- .github/workflows/lint.yml | 8 ++++---- .github/workflows/release.yml | 6 +++--- .github/workflows/scorecards.yml | 16 ++++++++-------- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 46a1e9f8..dcf59934 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,9 +20,9 @@ jobs: - "3.13" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5 with: python-version: ${{ matrix.python }} cache: "pip" diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 1fdead42..6e2bc056 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -9,7 +9,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 # v3.3.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 606e8f9a..0bd76d5a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -10,9 +10,9 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5 with: python-version: "3.9" cache: "pip" @@ -24,9 +24,9 @@ jobs: check-readme: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5 # NOTE(ww): Important: use pip-audit's minimum supported Python version # in this check, since Python can change the `--help` rendering in # `argparse` between major versions. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2df588b7..e6e2671b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,9 +20,9 @@ jobs: contents: write steps: - - uses: actions/checkout@v4.2.1 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5 with: python-version-file: pyproject.toml @@ -36,7 +36,7 @@ jobs: uses: pypa/gh-action-pypi-publish@release/v1 - name: sign - uses: sigstore/gh-action-sigstore-python@v3.0.0 + uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0 with: inputs: ./dist/*.tar.gz ./dist/*.whl release-signing-artifacts: true diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index c5c08138..92dfcd95 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -19,35 +19,35 @@ jobs: security-events: write # Used to receive a badge. (Upcoming feature) id-token: write - + steps: - name: "Checkout code" - uses: actions/checkout@v4.2.1 # tag=v3.0.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # tag=v2.4.0 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # tag=v4.4.3 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif retention-days: 5 - + # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # tag=v3.27.0 + uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: sarif_file: results.sarif