Skip to content

IN 1240 - Replace pipenv check with pip-audit and maintenance #206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 13, 2025
Merged

IN 1240 - Replace pipenv check with pip-audit and maintenance #206

merged 3 commits into from
May 13, 2025

Conversation

@ghukill
Copy link
Contributor

@ghukill ghukill commented May 9, 2025
edited
Loading

Purpose and background context

This PR accomplishses a couple of tightly coupled things:

  1. reworks pipenv check to use pip-audit, which is applied broadly across repos (Jira ticket)
  2. upgrades python to 3.12
  3. unpins luigi resulting in installation of 3.6.0, and some necessary type checking skips

luigi has been pinned to 3.5.1 for some time to avoid a barrage of type checking errors that 3.5.2 introduced. But with the move to pip-audit, a vulnerability was found with 3.5.1 that version 3.6.0 (most recent) resolves. While the upgrade to python 3.12 was inconsequential, upgrading luigi resurfaced those mypy type checking errors.

There is a good deal of commentary in the commit that unpins luigi, but a short paraphrasing here:

This project is largely a wrapper around luigi tasks. We define some custom classes that extend luigi.Task and luigi.LocalTarget (the output of tasks). Each of our actual tasks is just an extension of these; 99% boilerplate with a sprinkling of business logic. This is what made luigi appealing!

However, luigi is very poorly typed. Even the optional luigi.mypy mypy plugin does not seem to help (possibly an artifact of our extensions. Therefore it was decided to skip mypy type checking for hrqb.base.* and hrqb.task.*. In doing so, we:

  • are able to upgrade luigi which is important for vulnerability reasons, and keeping up-to-date
  • our IDE's continue to leverage type checking for hints

As a big fan of type annotations and linting, the decision was not made lightly. But this allows us to keep this repository up-to-date dependency wise, and as the git commit mentions, there are some options if we'd like to layer on type checking again in the future.

How can a reviewer manually see the effects of these changes?

make test + make lint is about our best option at the moment, given the sensitivity of the data.

Includes new or updated dependencies?

YES: bumps to python 3.12 and unpins luigi resulting in installation of 3.6.0

Changes expectations for external applications?

NO

What are the relevant tickets?

Developer

  • All new ENV is documented in README
  • All new ENV has been added to staging and production environments
  • All related Jira tickets are linked in commit message(s)
  • Stakeholder approval has been confirmed (or is not needed)

Code Reviewer(s)

  • The commit message is clear and follows our guidelines (not just this PR message)
  • There are appropriate tests covering any new functionality
  • The provided documentation is sufficient for understanding any new functionality introduced
  • Any manual tests have been performed or provided examples verified
  • New dependencies are appropriate or there were no changes

ghukill added 3 commits May 9, 2025 11:53
@ghukill
Replace pipenv check with pip-audit
a076899 
Why these changes are being introduced:

As of pipenv 2025.0.1 the use of `pipenv check` would throw
an error, indicating that the library `safety` was not installed.
It worked to run `pipenv check --auto-install` which would
temporarily install `safety`, but this was not ideal for multiple
reasons.

First, we anticipate potentially moving away from `pipenv`.

Second, it appears that `safety` is moving to a pay / subscription
model.

Third, it remains a little obfuscated what `pipenv check` is actually
doing.

As this new situation affects all builds in Github Actions CI,
we need a way to scan for vulnerabilities that ideally is not
a massive overhaul of our vulnerability scanning approach.

How this addresses that need:

`pip-audit` is a nice standalone, open-source library that
performs very similar work to `safety`.

This commit replaces `pipenv check` (which was `safety` under
the hood) with `pip-audit`.

NOTE: until we can install a non-pinned version of luigi,
we must ignore vulnerability PYSEC-2024-159 (which should
not affect us).

Side effects of this change:
* Builds will be successful in Github Actions

Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/IN-1240
@ghukill
Bump python 3.12
983be16 
Why these changes are being introduced:

This CLI was stuck on python 3.11 for awhile while untangling
some mypy linting errors.  Turns out it was luigi >= 3.5.2 that
presented the issues.

With luigi still pinned, we can perform python version update
and update dependencies.

How this addresses that need:
* Python version bumped to 3.12
* Luigi remains pinned, for now, at 3.5.1
* Dependencies updated

Side effects of this change:
* Python version updated

Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/IN-1240
* https://mitlibraries.atlassian.net/browse/IN-1258
@ghukill
Unpin luigi and skip type checking broadly
55b424b 
Why these changes are being introduced:

luigi=3.5.2 introduced a litany of type checking errors
for our usage.  As such, we had luigi pinned to 3.5.1
for some time.  With the introduction of pip-audit, and
a found vulnerability for 3.5.1, and bumping python to
3.12, it was time to finally address this.

We fairly heavily extend luigi.Task and luigi.LocalTarget,
and use those base extensions throughoug the project.
Because luigi is poorly typed, even with the `luigi.mypy` module,
we had cascading type check errors.

Manually creating .pyi stubs was explored -- and it works --
but the benefit did not seem to outweigh the cost of creating
and maintaing them.  Particularly since most of this project
is luigi task boilerplate; each task, e.g. ExtractDWEmployees,
is basically just class definitions with a minimal amount of
actual business logic.  This was the appeal of luigi, and it's
why these .pyi files would be nearly doubling the codebase.

The ultimate solution feels to just skip type checking
for luigi based classes, given a) luigi is poorly typed
already, and b) the signatures are effectively the same for
each task.  IDE's will still benefit from understanding
what classes can do, but we skip linting errors.

How this addresses that need:
* Unpins luigi, resulting in install of luigi=3.6.0 at time
of this commit
* Adds explicit type checking ignores for hrqb.base.* and
hrqb.task.*
* Remove vulnerability ignore now no longer present in luigi

Side effects of this change:
* Luigi is updated, but type checking is lost for most
luigi tasks (at least temporarily)

Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/IN-1258
@ghukill ghukill marked this pull request as ready for review May 9, 2025 18:50
@ghukill ghukill requested review from a team and ehanson8 May 9, 2025 18:51
@ghukill ghukill merged commit 525139f into main May 13, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ehanson8 ehanson8 ehanson8 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ghukill @ehanson8