Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,6 @@ repos:
exclude: pnpm-lock.yaml

- repo: https://github.com/tox-dev/pyproject-fmt
rev: v2.12.1
rev: v2.14.2
hooks:
- id: pyproject-fmt
260 changes: 137 additions & 123 deletions backend/poetry.lock

Large diffs are not rendered by default.

125 changes: 58 additions & 67 deletions backend/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -8,67 +8,59 @@ version = "0.0.0"
description = "Your gateway to OWASP"
authors = [ "Arkadii Yakovets <arkadii.yakovets@owasp.org>" ]
readme = "README.md"

packages = [ { include = "apps" } ]

[tool.poetry.dependencies]
algoliasearch = "^4.13.2"
algoliasearch-django = "^4.0.0"
django = "^6.0"
django-configurations = "^2.5.1"
django-cors-headers = "^4.7.0"
django-ninja = "^1.4.3"
django-redis = "^6.0.0"
django-rq = "^3.1"
django-storages = { extras = [ "s3" ], version = "^1.14.4" }
emoji = "^2.14.1"
geopy = "^2.4.1"
gunicorn = "^25.0.0"
humanize = "^4.11.0"
jinja2 = "^3.1.6"
langchain = "^0.3.26"
langchain-community = "^0.3.26"
langgraph = "^1.0.1"
lxml = "^6.0.0"
markdown = "^3.7"
openai = "^2.0.1"
owasp-schema = "^0.1.46"
pgvector = "^0.4.1"
psycopg2-binary = "^2.9.9"
pydantic = "^2.11.1"
pydantic-core = "^2.33.0"
pygithub = "^2.5.0"
python = "^3.13"
python-dateutil = "^2.9.0.post0"
pyyaml = "^6.0.2"
reportlab = "^4.4.2"
requests = "^2.32.5"
sentry-sdk = { extras = [ "django" ], version = "^2.20.0" }
slack-bolt = "^1.22.0"
slack-sdk = "^3.37.0"
strawberry-graphql = { extras = [ "django" ], version = "^0.291.0" }
strawberry-graphql-django = "^0.75.0"
thefuzz = "^0.22.1"
pyparsing = "^3.2.3"

[tool.poetry.group.test.dependencies]
pytest = "^9.0.1"
pytest-cov = "^7.0"
pytest-django = "^4.5"
pytest-mock = "^3.0"
pytest-xdist = "^3.0"
python-dotenv = "^1.0.1"

[tool.poetry.group.video.dependencies]
elevenlabs = "^2.27.0"
ffmpeg-python = "^0.2.0"
pillow = "^12.1.0"
pypdfium2 = "^5.2.0"
weasyprint = "^68.0"
dependencies.algoliasearch = "^4.13.2"
dependencies.algoliasearch-django = "^4.0.0"
dependencies.django = "^6.0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Django 6.0 release date 2025 2026

💡 Result:

Django 6.0 was officially released on December 3, 2025. [1][2]

(For context: 6.0.1 shipped January 6, 2026 [3] and 6.0.2 shipped February 3, 2026 [4][5].)

Sources: [1] [2] [3] [4] [5]


🏁 Script executed:

# Read the full pyproject.toml to see actual dependencies
cat -n backend/pyproject.toml

Repository: OWASP/Nest

Length of output: 8446


🌐 Web query:

django-ninja 1.4.3 Django 6.0 compatibility

💡 Result:

django-ninja==1.4.3 is not marked as compatible with Django 6.0. On PyPI, its classifiers list Django support only up to Django 5.1 (no Django :: 6.0 classifier) and it was released Jun 4, 2025. [1]

If you need Django 6.0, use a newer django-ninja release: the current PyPI project metadata includes a Django :: 6.0 classifier (e.g., the 1.5.x line). [2]

Also note Django 6.0 requires Python 3.12+. [3]

Sources
[1] PyPI – django-ninja 1.4.3: (pypi.org)
[2] PyPI – django-ninja (latest): (pypi.org)
[3] Django 6.0 release notes (Python compatibility): (docs.djangoproject.com)

Citations:


🌐 Web query:

strawberry-graphql-django 0.75.0 Django 6.0 support

💡 Result:

strawberry-graphql-django 0.75.0 (released Jan 27, 2026) explicitly declares Django 6.0 support via its PyPI framework classifiers (Framework :: Django :: 6.0). It also requires Python >= 3.10. [1]

Sources:
[1] PyPI project page for strawberry-graphql-django 0.75.0 (classifiers + release date) (pypi.org)

Citations:


🌐 Web query:

django-configurations 2.5.1 Django 6.0 compatibility

💡 Result:

django-configurations 2.5.1 does not claim Django 6.0 compatibility. Its PyPI classifiers list support for Django 3.2, 4.1, 4.2, and 5.0 (and Python >=3.8,<4.0)—no Django 6.0 classifier is present. [1]

Since Django 6.0 requires Python 3.12+ and includes breaking/deprecation-driven changes, you should assume django-configurations 2.5.1 is “unverified/unsupported on Django 6.0” unless you run its test suite (or your project’s tests) against Django 6.0 and it passes. [2]

Sources: [1] [2]


Upgrade django-ninja and django-configurations for Django 6.0 compatibility.

django-ninja==1.4.3 does not support Django 6.0 (only Django ≤5.1). Upgrade to version 1.5.x or later.

django-configurations==2.5.1 lacks Django 6.0 support declarations on PyPI (classifiers only cover up to Django 5.0). Verify compatibility by running the test suite against Django 6.0, or upgrade to a version that explicitly supports Django 6.0.

All other listed dependencies (django-redis, django-rq, django-storages, strawberry-graphql-django, sentry-sdk) are compatible with Django 6.0.

🤖 Prompt for AI Agents
In `@backend/pyproject.toml` at line 14, The pyproject.toml lists
django-ninja==1.4.3 and django-configurations==2.5.1 which are not declared
compatible with Django 6.0; update the dependency entries (the django-ninja and
django-configurations lines in pyproject.toml) to versions that support Django
6.0 (e.g., bump django-ninja to 1.5.x or later and choose a
django-configurations release that declares Django 6 compatibility), then run
the test suite against Django 6.0 to verify compatibility and adjust versions if
tests fail.

dependencies.django-configurations = "^2.5.1"
dependencies.django-cors-headers = "^4.7.0"
dependencies.django-ninja = "^1.5.3"
dependencies.django-redis = "^6.0.0"
dependencies.django-rq = "^3.1"
dependencies.django-storages = { extras = [ "s3" ], version = "^1.14.4" }
dependencies.emoji = "^2.14.1"
dependencies.geopy = "^2.4.1"
dependencies.gunicorn = "^25.0.0"
dependencies.humanize = "^4.11.0"
dependencies.jinja2 = "^3.1.6"
dependencies.langchain = "^0.3.26"
dependencies.langchain-community = "^0.3.26"
dependencies.langgraph = "^1.0.1"
dependencies.lxml = "^6.0.0"
dependencies.markdown = "^3.7"
dependencies.openai = "^2.0.1"
dependencies.owasp-schema = "^0.1.46"
dependencies.pgvector = "^0.4.1"
dependencies.psycopg2-binary = "^2.9.9"
dependencies.pydantic = "^2.11.1"
dependencies.pydantic-core = "^2.33.0"
dependencies.pygithub = "^2.5.0"
dependencies.python = "^3.13"
dependencies.python-dateutil = "^2.9.0.post0"
dependencies.pyyaml = "^6.0.2"
dependencies.reportlab = "^4.4.2"
dependencies.requests = "^2.32.5"
dependencies.sentry-sdk = { extras = [ "django" ], version = "^2.20.0" }
dependencies.slack-bolt = "^1.22.0"
dependencies.slack-sdk = "^3.37.0"
dependencies.strawberry-graphql = { extras = [ "django" ], version = "^0.291.0" }
dependencies.strawberry-graphql-django = "^0.75.0"
dependencies.thefuzz = "^0.22.1"
dependencies.pyparsing = "^3.2.3"
group.test.dependencies.pytest = "^9.0.1"
group.test.dependencies.pytest-cov = "^7.0"
group.test.dependencies.pytest-django = "^4.5"
group.test.dependencies.pytest-mock = "^3.0"
group.test.dependencies.pytest-xdist = "^3.0"
group.test.dependencies.python-dotenv = "^1.0.1"
group.video.dependencies.elevenlabs = "^2.27.0"
group.video.dependencies.ffmpeg-python = "^0.2.0"
group.video.dependencies.pillow = "^12.1.0"
group.video.dependencies.pypdfium2 = "^5.2.0"
group.video.dependencies.weasyprint = "^68.0"

[tool.ruff]
target-version = "py313"

line-length = 99
lint.select = [ "ALL" ]
lint.extend-select = [ "I" ]
Expand Down Expand Up @@ -125,16 +117,15 @@ lint.per-file-ignores."**/tests/**/*.py" = [
"S101", # https://docs.astral.sh/ruff/rules/assert/
"SLF001", # https://docs.astral.sh/ruff/rules/private-member-access/
]

lint.per-file-ignores."apps/api/rest/**/*.py" = [
"ARG001", # https://docs.astral.sh/ruff/rules/unused-function-argument/
"B008", # https://docs.astral.sh/ruff/rules/function-call-in-default-argument/
]

[tool.pytest.ini_options]
DJANGO_CONFIGURATION = "Test"
DJANGO_SETTINGS_MODULE = "settings.test"
addopts = [
[tool.pytest]
ini_options.DJANGO_CONFIGURATION = "Test"
ini_options.DJANGO_SETTINGS_MODULE = "settings.test"
ini_options.addopts = [
"--cov-config=pyproject.toml",
"--cov-fail-under=80",
"--cov-precision=2",
Expand All @@ -147,16 +138,16 @@ addopts = [
"--no-cov-on-fail",
"--numprocesses=auto",
]
filterwarnings = [
ini_options.filterwarnings = [
"ignore::DeprecationWarning:pytest_cov",
"ignore::DeprecationWarning:xdist",
"ignore::pydantic.warnings.PydanticDeprecatedSince20",
]
log_level = "INFO"
ini_options.log_level = "INFO"

[tool.coverage.run]
branch = true
omit = [
[tool.coverage]
run.branch = true
run.omit = [
"__init__.py",
"**/admin.py",
"**/apps.py",
Expand Down
2 changes: 1 addition & 1 deletion cspell/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"devDependencies": {
"@cspell/dict-aws": "^4.0.17",
"@cspell/dict-data-science": "^2.0.13",
"@cspell/dict-en_us": "^4.4.28",
"@cspell/dict-en_us": "^4.4.29",
"@cspell/dict-fullstack": "^3.2.8",
"@cspell/dict-golang": "^6.0.26",
"@cspell/dict-k8s": "^1.0.12",
Expand Down
20 changes: 10 additions & 10 deletions cspell/pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion docker/backend/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ USER owasp

COPY --chmod=444 --chown=root:root poetry.lock pyproject.toml ./
RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
poetry install --no-root --without test --without video
poetry install --no-root --verbose --without test --without video

COPY apps apps
COPY entrypoint.sh manage.py wsgi.py ./
Expand Down
2 changes: 1 addition & 1 deletion docker/backend/Dockerfile.local
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ WORKDIR /home/owasp

COPY --chmod=444 --chown=root:root poetry.lock pyproject.toml ./
RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
poetry install --no-root --without test --without video
poetry install --no-root --verbose --without test --without video

FROM python:3.13.11-alpine3.23

Expand Down
2 changes: 1 addition & 1 deletion docker/backend/Dockerfile.test
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ USER owasp

COPY --chmod=444 --chown=root:root poetry.lock pyproject.toml ./
RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
poetry install --no-root
poetry install --no-root --verbose

COPY .env.example .env.example
COPY apps apps
Expand Down
2 changes: 1 addition & 1 deletion docker/backend/Dockerfile.video
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ RUN --mount=type=cache,target=${PIP_CACHE_DIR} \

COPY --chmod=444 --chown=root:root poetry.lock pyproject.toml ./
RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
poetry install --no-root --without test && \
poetry install --no-root --verbose --without test && \
python -m pip uninstall -y poetry

RUN --mount=type=cache,target=${APK_CACHE_DIR} \
Expand Down
2 changes: 1 addition & 1 deletion docker/docs/Dockerfile.local
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ USER owasp

COPY --chmod=444 --chown=root:root docs/poetry.lock docs/pyproject.toml mkdocs.yaml ./
RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
poetry install --no-root && \
poetry install --no-root --verbose && \
rm -rf docs/poetry.lock docs/pyproject.toml

FROM python:3.13.11-alpine3.23
Expand Down
2 changes: 1 addition & 1 deletion docker/frontend/Dockerfile.e2e.test
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM mcr.microsoft.com/playwright:v1.58.1-jammy
FROM mcr.microsoft.com/playwright:v1.58.2-jammy

ENV FORCE_COLOR=1 \
NPM_CACHE="/app/.npm" \
Expand Down
6 changes: 3 additions & 3 deletions docs/poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 6 additions & 8 deletions docs/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ version = "0.1.0"
description = "OWASP Nest Documentation"
authors = [ "Arkadii Yakovets <arkadii.yakovets@owasp.org>" ]
license = "MIT"

[tool.poetry.dependencies]
mkdocs = "^1.6.1"
mkdocs-material = "^9.6.19"
mkdocs-minify-plugin = "^0.8.0"
mkdocstrings = "^1.0.0"
pymdown-extensions = "^10.20.0"
python = "^3.13"
dependencies.mkdocs = "^1.6.1"
dependencies.mkdocs-material = "^9.6.19"
dependencies.mkdocs-minify-plugin = "^0.8.0"
dependencies.mkdocstrings = "^1.0.0"
dependencies.pymdown-extensions = "^10.20.0"
dependencies.python = "^3.13"
Comment on lines +11 to +16
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

find . -name "pyproject.toml" -path "*/docs/*" | head -20

Repository: OWASP/Nest

Length of output: 75


🌐 Web query:

Poetry 2.x pyproject.toml dependencies format dotted keys

💡 Result:

In Poetry 2.x you have two good options when a dependency name contains a dot (e.g. zope.interface), because in TOML an unquoted a.b key is a dotted key (it creates nested tables) rather than a literal key name. Use a quoted key if you’re in a TOML table, or switch to PEP 621 string dependencies.

Option A (recommended in Poetry 2.x): PEP 621 strings (no TOML key issues)

[project]
dependencies = [
  "zope.interface>=6,<7",
]

Poetry 2.x supports specifying main dependencies in project.dependencies as PEP 508 strings. [1]

Option B (legacy / still supported): quote the key under tool.poetry.dependencies

[tool.poetry.dependencies]
"zope.interface" = "^6.0"

TOML allows quoted keys (so the dot is part of the key name), whereas bare keys can’t contain dots. [2] Real-world Poetry projects use this quoting pattern for dotted package names. [3]

Sources:
[1] Poetry docs – Dependency specification (project.dependencies vs tool.poetry.dependencies) (python-poetry.org)
[2] TOML spec – keys, quoted keys, and dotted keys (toml.io)
[3] Example pyproject.toml showing "zope.interface" in [tool.poetry.dependencies] (sources.debian.org)

Citations:


🏁 Script executed:

cat -n ./docs/pyproject.toml | head -30

Repository: OWASP/Nest

Length of output: 666


🌐 Web query:

Poetry 2.0 tool.poetry dependencies dotted key format support

💡 Result:

Poetry 2.x doesn’t implement any special “dotted-key dependency syntax” of its own; it just reads whatever your TOML parser produces.

  • If by “dotted key format” you mean TOML dotted keys like tool.poetry.dependencies.requests = "^2.31": that’s standard TOML dotted-key notation (it creates nested tables) and can represent the same data structure Poetry expects. (toml.io)
  • However, standard TOML forbids mixing a [tool.poetry.dependencies] table header with dotted keys that (re)define that same table path, which makes such files error-prone across TOML parsers/tools. (toml.io)
  • In Poetry 2.x, the recommended modern/standard place for dependencies is [project].dependencies (PEP 508 strings); [tool.poetry.dependencies] remains Poetry’s extended table format. (deepwiki.com)

So: there’s no Poetry-2.0-specific “support switch”—it’s mainly a TOML validity/compatibility question. For best compatibility, stick to [tool.poetry.dependencies] entries (table form) or move to [project].dependencies rather than relying on dotted-key assignments. (deepwiki.com)

Citations:


🏁 Script executed:

wc -l ./docs/pyproject.toml && cat ./docs/pyproject.toml

Repository: OWASP/Nest

Length of output: 579


Use [tool.poetry.dependencies] section header instead of dotted-key format.

The dotted-key syntax (dependencies.mkdocs = "^1.6.1") under [tool.poetry] is valid TOML but not the recommended Poetry 2.x format. Per Poetry documentation, use the standard section header format:

[tool.poetry.dependencies]
mkdocs = "^1.6.1"
mkdocs-material = "^9.6.19"
mkdocs-minify-plugin = "^0.8.0"
mkdocstrings = "^1.0.0"
pymdown-extensions = "^10.20.0"
python = "^3.13"

Dotted-key assignments for this purpose are error-prone across TOML parsers and deviate from Poetry's standard conventions.

🤖 Prompt for AI Agents
In `@docs/pyproject.toml` around lines 11 - 16, The TOML uses dotted-key
assignments like dependencies.mkdocs and dependencies.python under
[tool.poetry]; replace those dotted-key lines by adding a
[tool.poetry.dependencies] section header and move the keys (mkdocs,
mkdocs-material, mkdocs-minify-plugin, mkdocstrings, pymdown-extensions, python)
as regular keys under that section (e.g., mkdocs = "...") to conform to Poetry
2.x standard and avoid dotted-key usage.

8 changes: 4 additions & 4 deletions frontend/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
"dayjs": "^1.11.19",
"dompurify": "^3.3.1",
"eslint-plugin-import": "^2.32.0",
"framer-motion": "^12.33.0",
"framer-motion": "^12.34.0",
"graphql": "^16.12.0",
"ics": "^3.8.1",
"isomorphic-dompurify": "^2.36.0",
Expand All @@ -56,7 +56,7 @@
"next": "^16.1.6",
"next-auth": "^4.24.13",
"next-themes": "^0.4.6",
"posthog-js": "^1.342.1",
"posthog-js": "^1.343.2",
"react": "^19.2.4",
"react-apexcharts": "^1.9.0",
"react-dom": "^19.2.4",
Expand Down Expand Up @@ -87,7 +87,7 @@
"@types/leaflet": "^1.9.21",
"@types/leaflet.markercluster": "^1.5.6",
"@types/markdown-it": "^14.1.2",
"@types/node": "^25.2.1",
"@types/node": "^25.2.2",
"@types/react": "^19.2.13",
"@types/react-dom": "^19.2.3",
"@typescript-eslint/eslint-plugin": "^8.54.0",
Expand All @@ -96,7 +96,7 @@
"eslint-config-next": "^16.1.6",
"eslint-config-prettier": "^10.1.8",
"eslint-import-resolver-alias": "^1.1.2",
"eslint-plugin-jest": "^29.12.2",
"eslint-plugin-jest": "^29.13.0",
"eslint-plugin-jsx-a11y": "^6.10.2",
"eslint-plugin-prettier": "^5.5.5",
"eslint-plugin-react": "^7.37.5",
Expand Down
Loading