pip-audit is a prototype tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database (https://github.com/pypa/advisory-db) as a source of vulnerability reports.
This project is developed by Trail of Bits with support from Google. This is not an official Google product.
git clone https://github.com/trailofbits/pip-audit && cd pip-audit
make dev && source env/bin/activate
pip-audit --helpReleases of pip-audit are managed via bump
and GitHub Actions.
# default release (patch bump)
make release
# override the default
# vX.Y.Z -> vX.Y.Z-rc.0
make release BUMP_ARGS="--pre rc.0"
# vX.Y.Z -> vN.0.0
make release BUMP_ARGS="--major"make release will fail if there are any untracked changes in the source tree.
If make release succeeds, you'll see an output like this:
RUN ME MANUALLY: git push origin main && git push origin vX.Y.Z
Run that last command sequence to complete the release.