Include dev dependencies in vulnerability report

[ckunki]

Issues in the past (#763, #740, #517) added reporting resolved vulnerabilities in the changelog.

The current ticket requests to include dev dependencies as well.

Proposed Changes

• In file audit.py
• When running poetry export
• Add CLI options "--with", "dev",
  • Counter suggestion is to use poetry export --format=requirements.txt --all-groups --all-extras -> This should cover all the cases without us building in the options. We should still update the PoetryToml.groups to include the optional dependencies.

Additional Questions

Additionally, we should spend some ideas / discussion on whether and how the following could be addressed

• other dependency groups
• optional dependencies (aka. "extras")

For examples look in https://github.com/exasol/notebook-connector/

All available groups can be retrieved via PTB's PoetryToml.groups.

Other related tickets

• Improve description in automated PR from dependency-update.yml #792
• Enhance report about resolved vulnerabilities to include "updated to" for affected dependencies #773

[ArBridgeman]

Interesting related note:

❯ poetry export --format=requirements.txt --without-hashes | \
              poetry run pip-audit -f markdown
Found 3 known vulnerabilities in 3 packages

Name | Version | ID | Fix Versions
--- | --- | --- | ---
cryptography | 46.0.6 | CVE-2026-39892 | 46.0.7
pygments | 2.19.2 | CVE-2026-4539 | 2.20.0
pytest | 8.4.2 | CVE-2025-71176 | 9.0.3

seems to include all dependencies -> cryptography (main), pygments (transitive), pytest (dev)

[ArBridgeman]

we could get the groups from https://github.com/exasol/python-toolbox/blob/main/exasol/toolbox/util/dependencies/poetry_dependencies.py#L59

[ckunki]

According to @ArBridgeman the difference sometimes may be blurred as

• transitives are included
• which may overlap with some dev dependencies.

Example for PTB dependencies.txt