Skip to content

Replace pipenv check with pip-audit#19

Merged
ghukill merged 1 commit intomainfrom
IN-1240-pip-audit
May 5, 2025
Merged

Replace pipenv check with pip-audit#19
ghukill merged 1 commit intomainfrom
IN-1240-pip-audit

Conversation

@ghukill
Copy link
Contributor

@ghukill ghukill commented May 5, 2025

Purpose and background context

This PR replaces the vulnerability scanning of pipenv check (which uses safety under the hood) with pip-audit. See commit message for more details.

How can a reviewer manually see the effects of these changes?

Run make lint.

Includes new or updated dependencies?

YES

Changes expectations for external applications?

YES

What are the relevant tickets?

Developer

  • All new ENV is documented in README
  • All new ENV has been added to staging and production environments
  • All related Jira tickets are linked in commit message(s)
  • Stakeholder approval has been confirmed (or is not needed)

Code Reviewer(s)

  • The commit message is clear and follows our guidelines (not just this PR message)
  • There are appropriate tests covering any new functionality
  • The provided documentation is sufficient for understanding any new functionality introduced
  • Any manual tests have been performed or provided examples verified
  • New dependencies are appropriate or there were no changes

@ghukill
Replace pipenv check with pip-audit
d5fc635 
Why these changes are being introduced:

As of pipenv 2025.0.1 the use of `pipenv check` would throw
an error, indicating that the library `safety` was not installed.
It worked to run `pipenv check --auto-install` which would
temporarily install `safety`, but this was not ideal for multiple
reasons.

First, we anticipate potentially moving away from `pipenv`.

Second, it appears that `safety` is moving to a pay / subscription
model.

Third, it remains a little obfuscated what `pipenv check` is actually
doing.

As this new situation affects all builds in Github Actions CI,
we need a way to scan for vulnerabilities that ideally is not
a massive overhaul of our vulnerability scanning approach.

How this addresses that need:

`pip-audit` is a nice standalone, open-source library that
performs very similar work to `safety`.

This commit replaces `pipenv check` (which was `safety` under
the hood) with `pip-audit`.

Side effects of this change:
* Builds will be successful in Github Actions

Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/IN-1240
@ghukill ghukill requested a review from a team May 5, 2025 13:57
@ghukill ghukill merged commit c754e9b into main May 5, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ehanson8 ehanson8 ehanson8 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ghukill @ehanson8