Homebrew is a popular package manager for macOS. Many of the projects it packages are written in Python. In order to ensure reproducible builds, Homebrew precisely pins the version of each Python package a Homebrew formula depends on.
osv-scanner is a tool for checking
a project's dependencies against vulnerability databases in order to determine
if there are any known vulnerabilities.
This project takes all of the Python packages depended on by Homebrew formulas
and runs them through osv-scanner. It then takes those audit results and uses
them to submit patches to Homebrew.
This project previously used
pip-audit, instead of osv-scanner,
hence the name.
The following things can be found in this repository:
formula2requirements.rb: Extracts the Python dependencies from Homebrew and writes them out in therequirements.txtformat.pip-audit-bulk: Runsosv-scannerover a directory ofrequirements.txtfiles.generate-prs.rb: Automatically generates PRs againstHomebrew/homebrew-corefor formulae with vulnerable dependencies.
See the generated GitHub Pages site for more information, including generated dependency sets and audits.
This repository is automated, but the automation isn't perfect. You can help out by:
- Looking at the incoming PRs against
Homebrew/homebrew-core, and helping debug ones that fail. - Improving the performance of our automation (it's currently very slow).
- Looking at the action logs for the PR automation, and helping debug/fix formulae and dependencies that can't be auto-updated.
