All notable changes to pip-audit
will be documented in this file.
The format is based on Keep a Changelog.
All versions prior to 0.0.9 are untracked.
- Fixed a dependency resolution failure caused by incorrect handling of a PEP 440 edge case around prerelease versions (#477)
- Added a lower bound on
packaging
to ensure that non-normalized versions are handled correctly (#471)
-
Fixed
pip-audit
's virtual environment creation and upgrade behavior, preventing spurious vulnerability reports (#454) -
Users are now warned if a
pip-audit
invocation is ambiguous, e.g. if they've installedpip-audit
globally but are asking for an audit of a loaded virtual environment (#451)
- Fixed a crash triggered when a package specifies an invalid version
specifier for its
requires-python
version (#447)
- Fixed a crash triggered when no vulnerabilities are found with some configurations (#437)
-
The
--output
flag will no longer produce an empty file in the event of a failure withinpip-audit
itself, making it easier to distinguish between audit failures being reported bypip-audit
andpip-audit
's own errors (#432) -
Removed pin on
packaging
now that our dependency pins it for us (#429)
- Pin maximum version of
packaging
dependency to avoid installing the new 22.0 version which is incompatible withpip-requirements-parser
(#427)
- Fixed a timestamp parsing bug that occurred with some vulnerability reports provided by the OSV service (#416)
-
Fixed an incorrect interaction between
--desc=auto
and--format=json
;--desc=auto
now includes the description in the generated JSON report, as intended (#399) -
Fixed a bug in dependency resolution with third-party indices where relative URLs were not resolved correctly (#411, #412)
-
Fixed an issue where audits done with the PyPI vulnerability service (the default) were not correctly filtered by "withdrawn" status; "withdrawn" vulnerabilities are now excluded (#393)
-
Fixed an issue where audits done with the OSV vulnerability service (
-s osv
) were not correctly filtered by "withdrawn" status; "withdrawn" vulnerabilities are now excluded (#386) -
Fixed
pip-audit
's handling of URL-style requirements in--no-deps
mode (URL requirements are now treated as skipped, rather than producing an error due to a lack of pinning) (#395)
-
pip-audit
is now a PyPA member project, and lives underpypa/pip-audit
! -
Improved error message for when unpinned URL requirements are found during an audit with the
--no-deps
flag (#355)
-
Fixed an issue where packages on PyPI with no published versions trigger a dependency resolution failure instead of being skipped (#357)
-
Fixed an incorrect assertion triggering for non-editable URL requirements that don't have an egg fragment (#359)
- Fixed a regression in requirements auditing that was introduced during the
move from
pip-api
topip-requirements-parser
where editable installs without an egg fragment would cause audits to crash (#331)
- CLI: the
--format=markdown
and--format=columns
output formats are no longer broken by long vulnerability descriptions from the OSV and PyPI vulnerability sources (#323)
- Fixed a breakage in hash-checking mode caused by a change to the PyPI JSON API (#318)
- Output formats:
pip-audit
now supports a Markdown format (--format=markdown
) which renders results as a set of Markdown tables. (#312)
- Vulnerability fixing: the
--fix
flag now works for vulnerabilities found in requirement subdependencies. A new line is now added to the requirement file to explicitly pin the offending subdependency (#297)
- CLI:
pip-audit
now warns on the combination of-s osv
and--require-hashes
, notifying users that only the PyPI service can fully verify hashes (#298)
- CLI/Dependency sources:
--cache-dir=...
and other flags that affect dependency resolver behavior now work correctly when auditing apyproject.toml
dependency source (#300)
2.3.2 - 2022-05-14
-
CLI:
pip-audit
's progress spinner has been refactored to make it faster and more responsive (#283) -
CLI, Vulnerability sources: the error message used to report connection failures to vulnerability sources was improved (#287)
-
Vulnerability sources: the OSV service is now more resilient to schema changes (#288)
-
Vulnerability sources: the PyPI service provides a better error message during some cases of service degradation (#294)
-
Vulnerability sources: a bug stemming from an incorrect assumption about OSV's schema guarantees was fixed (#284)
-
Caching:
pip-audit
now respectspip
'sPIP_NO_CACHE_DIR
and will not attempt to use thepip
cache if present (#290)
2.3.1 - 2022-05-24
- CLI: A bug causing the terminal's cursor to disappear on some versions of CPython was fixed (#280)
2.3.0 - 2022-05-18
-
CLI: The
--ignore-vuln
option has been added, allowing users to specify vulnerability IDs to ignore during the final report (#275) -
CLI: The
--no-deps
flag has been added, allowing users to skip dependency resolution entirely whenpip-audit
is used in requirements mode (#255)
2.2.1 - 2022-05-02
2.2.0 - 2022-05-02
- CLI: The
--output
option has been added, allowing users to specify a file to write output to. The default behavior of writing tostdout
is unchanged (#262)
- Vulnerability sources: A bug caused by insufficient version normalization was fixed (#263)
2.1.1 - 2022-03-29
- Dependency sources: A bug caused by ambiguous parses of source distribution files was fixed (#249)
2.1.0 - 2022-03-11
-
CLI: The
--skip-editable
flag has been added, allowing users to skip local packages or parsed requirements (via-r
) that are marked as editable (#244) -
CLI:
pip-audit
can audit projects that list their dependencies inpyproject.toml
files, viapip-audit <dir>
(#246)
2.0.0 - 2022-02-18
-
CLI: The
--fix
flag has been added, allowing users to attempt to automatically upgrade any vulnerable dependencies to the first safe version available (#212, #222) -
CLI: The combination of
--fix
and--dry-run
is now supported, causingpip-audit
to perform the auditing step but not any resulting fix steps (#223) -
CLI: The
--require-hashes
flag has been added which can be used in conjunction with-r
to check that all requirements in the file have an associated hash (#229) -
CLI: The
--index-url
flag has been added, allowing users to use custom package indices when running with the-r
flag (#238) -
CLI: The
--extra-index-url
flag has been added, allowing users to use multiple package indices when running with the-r
flag (#238)
-
pip-audit
's minimum Python version is now 3.7. -
CLI: The default output format is now correctly pluralized (#221)
-
Output formats: The SBOM output formats (
--format=cyclonedx-xml
and--format=cyclonedx-json
) now use CycloneDX Schema 1.4 (#216) -
Vulnerability sources: When using PyPI as a vulnerability service, any hashes provided in a requirements file are checked against those reported by PyPI (#229)
-
Vulnerability sources:
pip-audit
now uniques each result based on its alias set, reducing the amount of duplicate information in the default columnar output format (#232) -
CLI:
pip-audit
now prints its output more frequently, including when there are no discovered vulnerabilities but packages were skipped. Similarly, "manifest" output formats (JSON, CycloneDX) are now emitted unconditionally (#240)
- CLI: A regression causing excess output during
pip audit -r
was fixed (#226)
1.1.2 - 2022-01-13
- A pin on one of
pip-audit
's dependencies was fixed (#213)
1.1.1 - 2021-12-07
- Dependency sources: a crash caused by unexpected logging statements in
pip
's JSON output was fixed (#196)
1.1.0 - 2021-12-06
-
CLI: The
--path <PATH>
flag has been added, allowing users to limit dependency discovery to one or more paths (specified separately) whenpip-audit
is invoked in environment mode (#148) -
CLI: The
pip-audit
CLI can now be accessed throughpython -m pip_audit
. All functionality is identical to the functionality provided by thepip-audit
entrypoint (#173) -
CLI: The
--verbose
flag has been added, allowing users to receive more more verbose output frompip-audit
. Supplying the--verbose
flag overrides thePIP_AUDIT_LOGLEVEL
environment variable and is equivalent to setting it todebug
(#185)
- CLI:
pip-audit
now clears its spinner bar from the terminal upon completion, preventing visual confusion (#174)
-
Dependency sources: a crash caused by
platform.python_version
returning an version string that couldn't be parsed as a PEP-440 version was fixed (#175) -
Dependency sources: a crash caused by incorrect assumptions about the structure of source distributions was fixed (#166)
-
Vulnerability sources: a performance issue on Windows caused by cache failures was fixed (#178)
1.0.1 - 2021-12-02
-
CLI: The
--desc
flag no longer requires a following argument. If passed as a bare option,--desc
is equivalent to--desc on
(#153) -
Dependency resolution: The PyPI-based dependency resolver no longer throws an uncaught exception on package resolution errors; instead, the package is marked as skipped and an appropriate warning or fatal error (in
--strict
mode) is produced (#162) -
CLI: When providing the
--cache-dir
flag, the command to read the pip cache directory is no longer executed. Previously this was always executed and could result into failure when the command fails. In CI environments, the default~/.cache
directory is typically not writable by the build user and this meant that thepython -m pip cache dir
would fail before this fix, even if the--cache-dir
flag was provided. (#161)
1.0.0 - 2021-12-01
- This is the first stable release of
pip-audit
! The CLI is considered stable from this point on, and all changes will comply with Semantic Versioning
0.0.9 - 2021-12-01
- CLI: Skipped dependencies are now listed in the output of
pip-audit
, for supporting output formats (#145) - CLI:
pip-audit
now supports a "strict" mode (enabled with-S
or--strict
) that fails if the audit if any individual dependency cannot be resolved or audited. The default behavior is still to skip any individual dependency errors (#146)