Conversation
There was a problem hiding this comment.
Pull request overview
This PR migrates the project’s dependency vulnerability scanning from pip-audit to uv audit, aligning the audit step with the repository’s existing uv/tox-uv tooling and reducing dev dependency surface area.
Changes:
- Removed
pip-auditfrom dev dependencies and the lockfile, dropping its transitive dependency set. - Updated tox audit environments to run
uv auditinstead ofpip-audit. - Updated CI workflows and contributor documentation to refer to
uv audit.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
uv.lock |
Removes pip-audit and its transitive dependencies; updates uv to 0.11.2 in the locked set. |
tox.ini |
Switches audit testenv commands from pip-audit to uv audit. |
pyproject.toml |
Removes pip-audit from dev extra; bumps uv minimum version to >=0.11.2; updates audit-related comment. |
CONTRIBUTING.md |
Replaces pip-audit reference with uv audit and links to uv docs. |
.github/workflows/regular.yml |
Renames the audit step label to “Run uv audit” (tox env remains the driver). |
.github/workflows/ci.yml |
Renames the audit step label to “Run uv audit” (tox env remains the driver). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
AVHopp
left a comment
AVHopp
left a comment
There was a problem hiding this comment.
Looking good, but want to understand what the full intent of this PR is.
|
@AdrianSosic @Scienfitz does a tool replacement deserve a CHANGELOG entry? Imo it would |
There was a problem hiding this comment.
@AdrianSosic @Scienfitz does a tool replacement deserve a CHANGELOG entry? Imo it would
I'd say no because not user-facing, but I'll let @Scienfitz tip the scales
There was a problem hiding this comment.
I dont want to tip the scale because on the one hand I agree this is not userfacing and theres no strict requirement to mention it, on the other hand it doesnt really hurt
| commands = | ||
| python --version | ||
| pip-audit {env:EXCLUDES:} | ||
| uv audit |
There was a problem hiding this comment.
the excludes functionality was handy int he past, do you really have to remove it?
There was a problem hiding this comment.
Does not exist yet but has been merged into uv main 4 days ago, so will be available in the next couple of days. Let's just wait until it's there 👍🏼
Replace
pip-auditwithuv audit, which is faster and saves us one dependency.