From 7699473b996bb373970aa5f9e3074aee5984b1ef Mon Sep 17 00:00:00 2001 From: veit Date: Tue, 9 Jun 2026 15:59:24 +0200 Subject: [PATCH 1/3] :memo: Switch from uv-secure to uv audit' --- .../productive/git/advanced/hooks/scripts.rst | 3 + docs/productive/security.rst | 74 ++++++++++++++++--- 2 files changed, 65 insertions(+), 12 deletions(-) diff --git a/docs/productive/git/advanced/hooks/scripts.rst b/docs/productive/git/advanced/hooks/scripts.rst index 8fe9b0216..50ae14bae 100644 --- a/docs/productive/git/advanced/hooks/scripts.rst +++ b/docs/productive/git/advanced/hooks/scripts.rst @@ -73,6 +73,9 @@ Linters and formatters `prettier `_ provides `prettier `__ +`ruff-pre-commit `_ + pre-commit-Hook für :doc:`../../../qa/ruff` + `black `_ for formatting Python code diff --git a/docs/productive/security.rst b/docs/productive/security.rst index f50a8e1c2..26995e788 100644 --- a/docs/productive/security.rst +++ b/docs/productive/security.rst @@ -29,26 +29,76 @@ This check determines whether the project has open, unfixed vulnerabilities in its own code base or in its dependencies. An open vulnerability can be easily exploited and should be closed as soon as possible. -For such a check, you can use for example `uv-secure -`_. Alternatively, you can use `osv -`_ or `pip-audit -`_, which uses the `Open Source -Vulnerability Database `_. +For such a check, you can use for example ``uv audit`` Alternatively, you can +use `osv `_ or `pip-audit +`_. + +``uv audit`` is a new command introduced in uv≥0.11.19 that checks the +dependencies in your project for known vulnerabilities in the `OSV +`_ database and ‘undesirable’ project statuses, such as +*deprecated*: + +.. code-block:: console + + $ uv audit + warning: `uv audit` is experimental and may change without warning. Pass `--preview-features audit-command` to disable this warning. + Resolved 115 packages in 16ms + Found 12 known vulnerabilities and no adverse project statuses in 114 packages + + Vulnerabilities: + + idna 3.12 has 1 known vulnerability: + - GHSA-65pc-fj4g-8rjx: Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix + Fixed in: 3.15 + Advisory information: https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx + … + +``uv add``, ``uv sync``, and so on can now be run during every synchronisation +process to check for previously identified malware. This feature is not enabled +by default, but it can be easily enabled by setting ``UV_MALWARE_CHECK=1`` in +the shell. + +.. seealso:: + * `uv audit `_ + * `uv audit settings `_ If a vulnerability is found in a dependency, you should update to a non-vulnerable version; if no update is available, you should consider removing the dependency. -If you believe that the vulnerability does not affect your project, an -:file:`osv-scanner.toml` file can be created for ``osv``, including the ID to -ignore and a reason, for example: +If you believe that the security vulnerability does not affect your project, you +can define exceptions for ``uv audit`` in the :file:`pyproject.toml` file, for +example: .. code-block:: toml + :caption: pyproject.toml + + [tool.uv.audit] + ignore = ["PYSEC-2022-43017", "GHSA-5239-wwwm-4pmq"] + +or better still: + +.. code-block:: toml + :caption: pyproject.toml + + [tool.uv.audit] + ignore-until-fixed = ["PYSEC-2022-43017"] + +.. seealso:: + * `ignore `_ + * `ignore-until-fixed + `_ + +You can also add the vulnerability analysis using ``uv-audit`` to your +:doc:`pre-commit ` checks: + +.. code-block:: yaml - [[IgnoredVulns]] - id = "GO-2022-1059" - # ignoreUntil = 2022-11-09 # Optional exception expiry date - reason = "No external http servers are written in Go lang." + - repo: https://github.com/astral-sh/uv-pre-commit + rev: 73c2d77a42a113aee9e4b748c24937f09557b82d # 0.11.24 + hooks: + - id: uv-audit + files: ^(uv\.lock|pyproject\.toml)$ Maintenance ----------- From 3af4917a18353acaaa7eaac02ae55b4a74ee542f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 6 Jul 2026 20:49:41 +0000 Subject: [PATCH 2/3] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c → v6.0.0](https://github.com/pre-commit/pre-commit-hooks/compare/3e8a8703264a2f4a69428a0aa4dcb512790b2c8c...v6.0.0) - [github.com/tox-dev/pyproject-fmt: 0c8c15d8fe996493035be407c5cf4a288cf6bf8e → v2.25.1](https://github.com/tox-dev/pyproject-fmt/compare/0c8c15d8fe996493035be407c5cf4a288cf6bf8e...v2.25.1) - [github.com/abravalheri/validate-pyproject: 4b2e70d08cb2ccd26d1fba73588de41c7a5d50b7 → v0.25](https://github.com/abravalheri/validate-pyproject/compare/4b2e70d08cb2ccd26d1fba73588de41c7a5d50b7...v0.25) - [github.com/astral-sh/ruff-pre-commit: c59bba8fb259db0fec2bbb77ad8ba51ea7341b56 → v0.15.20](https://github.com/astral-sh/ruff-pre-commit/compare/c59bba8fb259db0fec2bbb77ad8ba51ea7341b56...v0.15.20) - [github.com/sphinx-contrib/sphinx-lint: c883505f64b59c3c5c9375191e4ad9f98e727ccd → v1.0.2](https://github.com/sphinx-contrib/sphinx-lint/compare/c883505f64b59c3c5c9375191e4ad9f98e727ccd...v1.0.2) - [github.com/adamchainz/blacken-docs: fda77690955e9b63c6687d8806bafd56a526e45f → 1.20.0](https://github.com/adamchainz/blacken-docs/compare/fda77690955e9b63c6687d8806bafd56a526e45f...1.20.0) - [github.com/codespell-project/codespell: 2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a → v2.4.2](https://github.com/codespell-project/codespell/compare/2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a...v2.4.2) --- .pre-commit-config.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 21702f885..e69ba6463 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,7 +10,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0 + rev: v6.0.0 # v6.0.0 hooks: - id: check-json types: [file] # override `types: [json]` @@ -24,33 +24,33 @@ repos: - id: end-of-file-fixer - id: trailing-whitespace - repo: https://github.com/tox-dev/pyproject-fmt - rev: 0c8c15d8fe996493035be407c5cf4a288cf6bf8e # v2.25.1 + rev: v2.25.1 # v2.25.1 hooks: - id: pyproject-fmt - repo: https://github.com/abravalheri/validate-pyproject - rev: 4b2e70d08cb2ccd26d1fba73588de41c7a5d50b7 # v0.25 + rev: v0.25 # v0.25 hooks: - id: validate-pyproject - repo: https://github.com/astral-sh/ruff-pre-commit - rev: c59bba8fb259db0fec2bbb77ad8ba51ea7341b56 # v0.15.20 + rev: v0.15.20 # v0.15.20 hooks: - id: ruff-check args: [--fix, --exit-non-zero-on-fix] - id: ruff-format - repo: https://github.com/sphinx-contrib/sphinx-lint - rev: c883505f64b59c3c5c9375191e4ad9f98e727ccd # v1.0.2 + rev: v1.0.2 # v1.0.2 hooks: - id: sphinx-lint types: [rst] - repo: https://github.com/adamchainz/blacken-docs - rev: fda77690955e9b63c6687d8806bafd56a526e45f # 1.20.0 + rev: 1.20.0 # 1.20.0 hooks: - id: blacken-docs args: [--line-length=79] additional_dependencies: - black - repo: https://github.com/codespell-project/codespell - rev: 2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a # v2.4.2 + rev: v2.4.2 # v2.4.2 hooks: - id: codespell args: [--toml pyproject.toml] From c61d157bbbf4d5ec58057d468b5fc3f4d48b8709 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 6 Jul 2026 20:49:53 +0000 Subject: [PATCH 3/3] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .../serialisation-formats/toml/pyproject.toml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/data-processing/serialisation-formats/toml/pyproject.toml b/docs/data-processing/serialisation-formats/toml/pyproject.toml index 0ea3af0ee..e583d8be0 100644 --- a/docs/data-processing/serialisation-formats/toml/pyproject.toml +++ b/docs/data-processing/serialisation-formats/toml/pyproject.toml @@ -6,12 +6,12 @@ line-length = 79 [tool.isort] atomic = true -force_grid_wrap = 0 +multi_line_output = 3 +use_parentheses = true include_trailing_comma = true +force_grid_wrap = 0 lines_after_imports = 2 lines_between_types = 1 -multi_line_output = 3 -not_skip = "__init__.py" -use_parentheses = true -known_first_party = [ "MY_FIRST_MODULE", "MY_SECOND_MODULE" ] known_third_party = [ "mpi4py", "numpy", "requests" ] +known_first_party = [ "MY_FIRST_MODULE", "MY_SECOND_MODULE" ] +not_skip = "__init__.py"