Skip to content

Replace poetry with uv#1313

Merged
greenbonebot merged 1 commit intomainfrom
switch-to-uv
Apr 9, 2026
Merged

Replace poetry with uv#1313
greenbonebot merged 1 commit intomainfrom
switch-to-uv

Conversation

@bjoernricks
Copy link
Copy Markdown
Contributor

@bjoernricks bjoernricks commented Apr 9, 2026

What

Replace poetry with uv

Why

Use uv instead of poetry because it has become the de-facto standard and it's way faster.

@bjoernricks
Misc: Replace poetry with uv
0700db3 
Use uv instead of poetry because it has become the de-facto standard and
it's way faster.
@bjoernricks bjoernricks requested review from a team as code owners April 9, 2026 12:26
@greenbonebot greenbonebot enabled auto-merge (rebase) April 9, 2026 12:26
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026

Dependency Review

The following issues were found:
  • ❌ 1 vulnerable package(s)
  • ❌ 1 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 6 package(s) with unknown licenses.
  • ⚠️ 1 packages with OpenSSF Scorecard issues.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 0700db3.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

uv.lock

NameVersionVulnerabilitySeverity
black25.11.0Black: Arbitrary file writes from unsanitized user input in cache file namehigh
Only included vulnerabilities with severity high or higher.

License Issues

uv.lock

PackageVersionLicenseIssue Type
cffi2.0.0MIT-0Incompatible License
autohooks26.2.0NullUnknown License
charset-normalizer3.4.7NullUnknown License
cryptography46.0.7NullUnknown License
invoke3.0.0NullUnknown License
pontos26.2.0NullUnknown License
ruff0.15.9NullUnknown License
Allowed Licenses: 0BSD, AGPL-3.0-or-later, Apache-2.0, BlueOak-1.0.0, BSD-2-Clause, BSD-3-Clause-Clear, BSD-3-Clause, BSL-1.0, bzip2-1.0.6, CAL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-4.0, CC0-1.0, EPL-2.0, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0, ISC, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-2.1, LGPL-3.0-only, LGPL-3.0, LGPL-3.0-or-later, MIT, MIT-CMU, MPL-1.1, MPL-2.0, OFL-1.1, PSF-2.0, Python-2.0, Python-2.0.1, Unicode-3.0, Unicode-DFS-2016, Unlicense, Zlib, ZPL-2.1

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
actions/actions/checkout de0fac2e4500dabe0009e67214ff5f5447ce83dd 🟢 6
Details
CheckScoreReason
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/checkout de0fac2e4500dabe0009e67214ff5f5447ce83dd 🟢 6
Details
CheckScoreReason
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
pip/black 25.11.0 UnknownUnknown
pip/requests 2.32.5 UnknownUnknown
pip/accessible-pygments 0.0.5 UnknownUnknown
pip/alabaster 0.7.16 UnknownUnknown
pip/anyio 4.12.1 UnknownUnknown
pip/autohooks 26.2.0 UnknownUnknown
pip/autohooks-plugin-black 23.10.0 🟢 5.8
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review🟢 3Found 1/3 approved changesets -- score normalized to 3
Maintained🟢 57 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases🟢 85 out of the last 5 releases have a total of 5 signed artifacts.
Security-Policy🟢 10security policy file detected
SAST🟢 10SAST tool is run on all commits
pip/autohooks-plugin-mypy 23.10.0 UnknownUnknown
pip/autohooks-plugin-ruff 25.3.1 UnknownUnknown
pip/babel 2.18.0 UnknownUnknown
pip/bcrypt 5.0.0 UnknownUnknown
pip/beautifulsoup4 4.14.3 UnknownUnknown
pip/certifi 2026.2.25 🟢 6.3
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 77 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 7
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 5Found 1/2 approved changesets -- score normalized to 5
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies🟢 5dependency not pinned by hash detected -- score normalized to 5
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/cffi 2.0.0 UnknownUnknown
pip/charset-normalizer 3.4.7 UnknownUnknown
pip/click 8.1.8 UnknownUnknown
pip/colorama 0.4.6 UnknownUnknown
pip/colorful 0.5.8 🟢 3.4
Details
CheckScoreReason
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 2Found 3/11 approved changesets -- score normalized to 2
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Security-Policy⚠️ 0security policy file not detected
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/coverage 7.10.7 UnknownUnknown
pip/cryptography 46.0.7 UnknownUnknown
pip/docutils 0.21.2 UnknownUnknown
pip/exceptiongroup 1.3.1 UnknownUnknown
pip/furo 2025.12.19 UnknownUnknown
pip/git-cliff 2.12.0 🟢 7
Details
CheckScoreReason
Code-Review🟢 8Found 6/7 approved changesets -- score normalized to 8
Maintained🟢 1030 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Packaging🟢 10packaging workflow detected
Pinned-Dependencies🟢 10all dependencies are pinned
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases🟢 85 out of the last 5 releases have a total of 5 signed artifacts.
SAST🟢 10SAST tool is run on all commits
pip/h11 0.16.0 🟢 4.4
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Code-Review🟢 5Found 9/18 approved changesets -- score normalized to 5
Maintained⚠️ 00 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing🟢 10project is fuzzed
Signed-Releases⚠️ -1no releases found
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/h2 4.3.0 UnknownUnknown
pip/hpack 4.1.0 UnknownUnknown
pip/httpcore 1.0.9 UnknownUnknown
pip/httpx 0.28.1 UnknownUnknown
pip/hyperframe 6.1.0 UnknownUnknown
pip/idna 3.11 UnknownUnknown
pip/imagesize 1.5.0 🟢 3.8
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 0Found 0/15 approved changesets -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/importlib-metadata 8.7.1 UnknownUnknown
pip/invoke 3.0.0 UnknownUnknown
pip/jinja2 3.1.6 UnknownUnknown
pip/librt 0.8.1 UnknownUnknown
pip/lxml 6.0.2 UnknownUnknown
pip/lxml-stubs 0.5.1 UnknownUnknown
pip/markdown-it-py 3.0.0 UnknownUnknown
pip/markupsafe 3.0.3 UnknownUnknown
pip/mdit-py-plugins 0.4.2 UnknownUnknown
pip/mdurl 0.1.2 UnknownUnknown
pip/mypy 1.19.1 UnknownUnknown
pip/mypy-extensions 1.1.0 UnknownUnknown
pip/myst-parser 4.0.1 UnknownUnknown
pip/packaging 26.0 UnknownUnknown
pip/paramiko 4.0.0 UnknownUnknown
pip/pathspec 1.0.4 UnknownUnknown
pip/platformdirs 4.4.0 UnknownUnknown
pip/pontos 26.2.0 UnknownUnknown
pip/pycparser 2.23 🟢 6.1
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 9security policy file detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing🟢 10project is fuzzed
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/pygments 2.20.0 UnknownUnknown
pip/pynacl 1.6.2 🟢 7.5
Details
CheckScoreReason
Maintained🟢 1012 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 10all changesets reviewed
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy⚠️ 0security policy file not detected
Fuzzing🟢 10project is fuzzed
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Packaging🟢 10packaging workflow detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/python-dateutil 2.9.0.post0 🟢 5.5
Details
CheckScoreReason
Code-Review⚠️ 2Found 5/17 approved changesets -- score normalized to 2
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1013 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing🟢 10project is fuzzed
License🟢 9license file detected
Signed-Releases🟢 82 out of the last 2 releases have a total of 2 signed artifacts.
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/pytokens 0.4.1 UnknownUnknown
pip/pyyaml 6.0.3 UnknownUnknown
pip/rich 14.3.3 UnknownUnknown
pip/ruff 0.15.9 UnknownUnknown
pip/semver 3.0.4 UnknownUnknown
pip/shtab 1.8.0 UnknownUnknown
pip/six 1.17.0 🟢 3.9
Details
CheckScoreReason
Code-Review⚠️ 2Found 7/30 approved changesets -- score normalized to 2
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing🟢 10project is fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/snowballstemmer 3.0.1 🟢 3.8
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Code-Review⚠️ 0Found 1/14 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/soupsieve 2.8.3 UnknownUnknown
pip/sphinx 7.4.7 UnknownUnknown
pip/sphinx-basic-ng 1.0.0b2 ⚠️ 2
Details
CheckScoreReason
Dangerous-Workflow⚠️ -1no workflows found
Code-Review⚠️ 0Found 1/26 approved changesets -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ -1No tokens found
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Pinned-Dependencies⚠️ -1no dependencies found
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/sphinxcontrib-applehelp 2.0.0 UnknownUnknown
pip/sphinxcontrib-devhelp 2.0.0 UnknownUnknown
pip/sphinxcontrib-htmlhelp 2.1.0 UnknownUnknown
pip/sphinxcontrib-jsmath 1.0.1 UnknownUnknown
pip/sphinxcontrib-qthelp 2.0.0 UnknownUnknown
pip/sphinxcontrib-serializinghtml 2.0.0 UnknownUnknown
pip/tomli 2.4.1 UnknownUnknown
pip/tomlkit 0.14.0 UnknownUnknown
pip/types-paramiko 4.0.0.20250822 UnknownUnknown
pip/typing-extensions 4.15.0 UnknownUnknown
pip/urllib3 2.6.3 UnknownUnknown
pip/zipp 3.23.0 UnknownUnknown

Scanned Files

  • .github/workflows/codeql.yml
  • .github/workflows/release.yml
  • poetry.lock
  • uv.lock

@greenbonebot
Copy link
Copy Markdown
Member

greenbonebot commented Apr 9, 2026

Scanning the following files for hidden unicode:

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026

Conventional Commits Report

😢 No conventional commits found.

👉 Learn more about the conventional commits usage at Greenbone.

@greenbonebot greenbonebot merged commit 56d2ec1 into main Apr 9, 2026
23 of 25 checks passed
@greenbonebot greenbonebot deleted the switch-to-uv branch April 9, 2026 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ozgen ozgen ozgen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bjoernricks @greenbonebot @ozgen