Skip to content

chore(deps): update dependency pip-audit to >=2.10.0 #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aponcedeleonch merged 1 commit into from
Dec 4, 2025
Merged

chore(deps): update dependency pip-audit to >=2.10.0 #105

aponcedeleonch merged 1 commit into from
Dec 4, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 4, 2025

This PR contains the following updates:

Package Change Age Confidence
pip-audit >=2.7.3 -> >=2.10.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

pypa/pip-audit (pip-audit)

v2.10.0

Compare Source

Added

  • pip-audit now supports the --osv-url URL flag, which can be used to
    retrieve vulnerabilities from a custom OSV service. This is useful for
    organizations that host their own mirror of the OSV database, or that
    have custom OSV records
    (#​810)

  • pip-audit now supports the Ecosyste.ms vulnerability service with
    --vulnerability-service=esms
    (#​903).

Changed
  • The minimum version of Python is now 3.10
    (#​905)
Fixed

  • Fixed a bug where pip-audit would fail to parse pyproject.toml files
    containing TOML 1.0.0 features
    (#​910)

  • CycloneDX JSON/XML output now correctly links vulnerabilities to their
    affected components via the affects field
    (#​980)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@claude
Copy link

claude bot commented Dec 4, 2025

Review: pip-audit Dependency Update

Summary

This PR updates pip-audit from >=2.7.3 to >=2.10.0, bringing security tooling improvements and TOML 1.0.0 support.

Analysis

✅ Compatibility: No breaking changes. Project requires Python 3.13 (pyproject.toml:6), well above pip-audit's new minimum of 3.10.

✅ Dependency Changes: The update replaces toml with tomli + tomli-w. These are standard, well-maintained TOML parsers. No concerns.

✅ Benefits:

  • Fixes TOML 1.0.0 parsing bug (useful for pyproject.toml)
  • Adds custom OSV service support (good for security workflows)
  • Better CycloneDX output formatting

✅ Testing: Security dependency—no code changes required. Verify with: uv run pip-audit

Recommendation

Approve and merge. This is a straightforward security tooling upgrade with no breaking changes or risks.

@renovate renovate bot force-pushed the renovate/pip-audit-2.x branch from e68da12 to d8ccc23 Compare December 4, 2025 09:42
@aponcedeleonch aponcedeleonch merged commit f7fa22d into main Dec 4, 2025
5 checks passed
@aponcedeleonch aponcedeleonch deleted the renovate/pip-audit-2.x branch December 4, 2025 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aponcedeleonch aponcedeleonch aponcedeleonch approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aponcedeleonch