diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 21702f885..e69ba6463 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,7 +10,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0 + rev: v6.0.0 # v6.0.0 hooks: - id: check-json types: [file] # override `types: [json]` @@ -24,33 +24,33 @@ repos: - id: end-of-file-fixer - id: trailing-whitespace - repo: https://github.com/tox-dev/pyproject-fmt - rev: 0c8c15d8fe996493035be407c5cf4a288cf6bf8e # v2.25.1 + rev: v2.25.1 # v2.25.1 hooks: - id: pyproject-fmt - repo: https://github.com/abravalheri/validate-pyproject - rev: 4b2e70d08cb2ccd26d1fba73588de41c7a5d50b7 # v0.25 + rev: v0.25 # v0.25 hooks: - id: validate-pyproject - repo: https://github.com/astral-sh/ruff-pre-commit - rev: c59bba8fb259db0fec2bbb77ad8ba51ea7341b56 # v0.15.20 + rev: v0.15.20 # v0.15.20 hooks: - id: ruff-check args: [--fix, --exit-non-zero-on-fix] - id: ruff-format - repo: https://github.com/sphinx-contrib/sphinx-lint - rev: c883505f64b59c3c5c9375191e4ad9f98e727ccd # v1.0.2 + rev: v1.0.2 # v1.0.2 hooks: - id: sphinx-lint types: [rst] - repo: https://github.com/adamchainz/blacken-docs - rev: fda77690955e9b63c6687d8806bafd56a526e45f # 1.20.0 + rev: 1.20.0 # 1.20.0 hooks: - id: blacken-docs args: [--line-length=79] additional_dependencies: - black - repo: https://github.com/codespell-project/codespell - rev: 2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a # v2.4.2 + rev: v2.4.2 # v2.4.2 hooks: - id: codespell args: [--toml pyproject.toml] diff --git a/docs/data-processing/serialisation-formats/toml/pyproject.toml b/docs/data-processing/serialisation-formats/toml/pyproject.toml index 0ea3af0ee..e583d8be0 100644 --- a/docs/data-processing/serialisation-formats/toml/pyproject.toml +++ b/docs/data-processing/serialisation-formats/toml/pyproject.toml @@ -6,12 +6,12 @@ line-length = 79 [tool.isort] atomic = true -force_grid_wrap = 0 +multi_line_output = 3 +use_parentheses = true include_trailing_comma = true +force_grid_wrap = 0 lines_after_imports = 2 lines_between_types = 1 -multi_line_output = 3 -not_skip = "__init__.py" -use_parentheses = true -known_first_party = [ "MY_FIRST_MODULE", "MY_SECOND_MODULE" ] known_third_party = [ "mpi4py", "numpy", "requests" ] +known_first_party = [ "MY_FIRST_MODULE", "MY_SECOND_MODULE" ] +not_skip = "__init__.py" diff --git a/docs/productive/git/advanced/hooks/scripts.rst b/docs/productive/git/advanced/hooks/scripts.rst index 8fe9b0216..50ae14bae 100644 --- a/docs/productive/git/advanced/hooks/scripts.rst +++ b/docs/productive/git/advanced/hooks/scripts.rst @@ -73,6 +73,9 @@ Linters and formatters `prettier `_ provides `prettier `__ +`ruff-pre-commit `_ + pre-commit-Hook für :doc:`../../../qa/ruff` + `black `_ for formatting Python code diff --git a/docs/productive/security.rst b/docs/productive/security.rst index f50a8e1c2..26995e788 100644 --- a/docs/productive/security.rst +++ b/docs/productive/security.rst @@ -29,26 +29,76 @@ This check determines whether the project has open, unfixed vulnerabilities in its own code base or in its dependencies. An open vulnerability can be easily exploited and should be closed as soon as possible. -For such a check, you can use for example `uv-secure -`_. Alternatively, you can use `osv -`_ or `pip-audit -`_, which uses the `Open Source -Vulnerability Database `_. +For such a check, you can use for example ``uv audit`` Alternatively, you can +use `osv `_ or `pip-audit +`_. + +``uv audit`` is a new command introduced in uv≥0.11.19 that checks the +dependencies in your project for known vulnerabilities in the `OSV +`_ database and ‘undesirable’ project statuses, such as +*deprecated*: + +.. code-block:: console + + $ uv audit + warning: `uv audit` is experimental and may change without warning. Pass `--preview-features audit-command` to disable this warning. + Resolved 115 packages in 16ms + Found 12 known vulnerabilities and no adverse project statuses in 114 packages + + Vulnerabilities: + + idna 3.12 has 1 known vulnerability: + - GHSA-65pc-fj4g-8rjx: Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix + Fixed in: 3.15 + Advisory information: https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx + … + +``uv add``, ``uv sync``, and so on can now be run during every synchronisation +process to check for previously identified malware. This feature is not enabled +by default, but it can be easily enabled by setting ``UV_MALWARE_CHECK=1`` in +the shell. + +.. seealso:: + * `uv audit `_ + * `uv audit settings `_ If a vulnerability is found in a dependency, you should update to a non-vulnerable version; if no update is available, you should consider removing the dependency. -If you believe that the vulnerability does not affect your project, an -:file:`osv-scanner.toml` file can be created for ``osv``, including the ID to -ignore and a reason, for example: +If you believe that the security vulnerability does not affect your project, you +can define exceptions for ``uv audit`` in the :file:`pyproject.toml` file, for +example: .. code-block:: toml + :caption: pyproject.toml + + [tool.uv.audit] + ignore = ["PYSEC-2022-43017", "GHSA-5239-wwwm-4pmq"] + +or better still: + +.. code-block:: toml + :caption: pyproject.toml + + [tool.uv.audit] + ignore-until-fixed = ["PYSEC-2022-43017"] + +.. seealso:: + * `ignore `_ + * `ignore-until-fixed + `_ + +You can also add the vulnerability analysis using ``uv-audit`` to your +:doc:`pre-commit ` checks: + +.. code-block:: yaml - [[IgnoredVulns]] - id = "GO-2022-1059" - # ignoreUntil = 2022-11-09 # Optional exception expiry date - reason = "No external http servers are written in Go lang." + - repo: https://github.com/astral-sh/uv-pre-commit + rev: 73c2d77a42a113aee9e4b748c24937f09557b82d # 0.11.24 + hooks: + - id: uv-audit + files: ^(uv\.lock|pyproject\.toml)$ Maintenance -----------