build(deps): bump certifi from 2022.12.7 to 2023.7.22

[dependabot]

Bumps certifi from 2022.12.7 to 2023.7.22.

Commits

• 8fb96ed 2023.07.22
• afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)
• 2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)
• 44df761 Hash pin Actions and enable dependabot (#228)
• 8b3d7ba 2023.05.07
• 53da240 ci: Add Python 3.12-dev to the testing (#224)
• c2fc3b1 Create a Security Policy (#222)
• c211ef4 Set up permissions to github workflows (#218)
• 2087de5 Don't let deprecation warning fail CI (#219)
• e0b9fc5 remove paragraphs about 1024-bit roots from README
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[mogul]

@nickumia-reisys @rahearn this has the usual drawback of Dependabot PRs on Python code, in that it is making the PR on the lock file instead of the source of the dependencies (Pipfile, requirements.txt, or in another project, requirements.in, etc.)

I learned yesterday that dependabot also understands pip-compile and will properly make a PR against a pyproject.toml file if one exists! (checkdmarc specifies dependencies in pyproject.toml itself.)

What do you think about moving the dependencies into pyproject.toml and retiring Pipfile so Dependabot will do something more useful in future? And, what do you want to do to resolve this finding in the meantime?

[mogul]

More context on pyproject.toml relative to other/previous ways of specifying dependencies.

[nickumia-reisys]

I think that would be a step in the right direction. Data.gov has started to go in this direction with our harvesting revamp:

• Example: https://github.com/GSA/datagov-harvesting-logic/blob/main/pyproject.toml

[mogul]

Nice! Have you turned on Dependabot PRs yet for that repo? (It no longer makes PRs automatically, which I think it did before; you have to have a .github/dependabot.yml in place for that to happen. Though it does still report results to the Security tab even when it isn't configured to make PRs.)