All notable changes to pip-audit will be documented in this file.
The format is based on Keep a Changelog.
All versions prior to 0.0.9 are untracked.
-
pip-auditis now a PyPA member project, and lives underpypa/pip-audit! -
Improved error message for when unpinned URL requirements are found during an audit with the
--no-depsflag (#355)
-
Fixed an issue where packages on PyPI with no published versions trigger a dependency resolution failure instead of being skipped (#357)
-
Fixed an incorrect assertion triggering for non-editable URL requirements that don't have an egg fragment (#359)
- Fixed a regression in requirements auditing that was introduced during the
move from
pip-apitopip-requirements-parserwhere editable installs without an egg fragment would cause audits to crash (#331)
- CLI: the
--format=markdownand--format=columnsoutput formats are no longer broken by long vulnerability descriptions from the OSV and PyPI vulnerability sources (#323)
- Fixed a breakage in hash-checking mode caused by a change to the PyPI JSON API (#318)
- Output formats:
pip-auditnow supports a Markdown format (--format=markdown) which renders results as a set of Markdown tables. (#312)
- Vulnerability fixing: the
--fixflag now works for vulnerabilities found in requirement subdependencies. A new line is now added to the requirement file to explicitly pin the offending subdependency (#297)
- CLI:
pip-auditnow warns on the combination of-s osvand--require-hashes, notifying users that only the PyPI service can fully verify hashes (#298)
- CLI/Dependency sources:
--cache-dir=...and other flags that affect dependency resolver behavior now work correctly when auditing apyproject.tomldependency source (#300)
2.3.2 - 2022-05-14
-
CLI:
pip-audit's progress spinner has been refactored to make it faster and more responsive (#283) -
CLI, Vulnerability sources: the error message used to report connection failures to vulnerability sources was improved (#287)
-
Vulnerability sources: the OSV service is now more resilient to schema changes (#288)
-
Vulnerability sources: the PyPI service provides a better error message during some cases of service degradation (#294)
-
Vulnerability sources: a bug stemming from an incorrect assumption about OSV's schema guarantees was fixed (#284)
-
Caching:
pip-auditnow respectspip'sPIP_NO_CACHE_DIRand will not attempt to use thepipcache if present (#290)
2.3.1 - 2022-05-24
- CLI: A bug causing the terminal's cursor to disappear on some versions of CPython was fixed (#280)
2.3.0 - 2022-05-18
-
CLI: The
--ignore-vulnoption has been added, allowing users to specify vulnerability IDs to ignore during the final report (#275) -
CLI: The
--no-depsflag has been added, allowing users to skip dependency resolution entirely whenpip-auditis used in requirements mode (#255)
2.2.1 - 2022-05-02
2.2.0 - 2022-05-02
- CLI: The
--outputoption has been added, allowing users to specify a file to write output to. The default behavior of writing tostdoutis unchanged (#262)
- Vulnerability sources: A bug caused by insufficient version normalization was fixed (#263)
2.1.1 - 2022-03-29
- Dependency sources: A bug caused by ambiguous parses of source distribution files was fixed (#249)
2.1.0 - 2022-03-11
-
CLI: The
--skip-editableflag has been added, allowing users to skip local packages or parsed requirements (via-r) that are marked as editable (#244) -
CLI:
pip-auditcan audit projects that list their dependencies inpyproject.tomlfiles, viapip-audit <dir>(#246)
2.0.0 - 2022-02-18
-
CLI: The
--fixflag has been added, allowing users to attempt to automatically upgrade any vulnerable dependencies to the first safe version available (#212, #222) -
CLI: The combination of
--fixand--dry-runis now supported, causingpip-auditto perform the auditing step but not any resulting fix steps (#223) -
CLI: The
--require-hashesflag has been added which can be used in conjunction with-rto check that all requirements in the file have an associated hash (#229) -
CLI: The
--index-urlflag has been added, allowing users to use custom package indices when running with the-rflag (#238) -
CLI: The
--extra-index-urlflag has been added, allowing users to use multiple package indices when running with the-rflag (#238)
-
pip-audit's minimum Python version is now 3.7. -
CLI: The default output format is now correctly pluralized (#221)
-
Output formats: The SBOM output formats (
--format=cyclonedx-xmland--format=cyclonedx-json) now use CycloneDX Schema 1.4 (#216) -
Vulnerability sources: When using PyPI as a vulnerability service, any hashes provided in a requirements file are checked against those reported by PyPI (#229)
-
Vulnerability sources:
pip-auditnow uniques each result based on its alias set, reducing the amount of duplicate information in the default columnar output format (#232) -
CLI:
pip-auditnow prints its output more frequently, including when there are no discovered vulnerabilities but packages were skipped. Similarly, "manifest" output formats (JSON, CycloneDX) are now emitted unconditionally (#240)
- CLI: A regression causing excess output during
pip audit -rwas fixed (#226)
1.1.2 - 2022-01-13
- A pin on one of
pip-audit's dependencies was fixed (#213)
1.1.1 - 2021-12-07
- Dependency sources: a crash caused by unexpected logging statements in
pip's JSON output was fixed (#196)
1.1.0 - 2021-12-06
-
CLI: The
--path <PATH>flag has been added, allowing users to limit dependency discovery to one or more paths (specified separately) whenpip-auditis invoked in environment mode (#148) -
CLI: The
pip-auditCLI can now be accessed throughpython -m pip_audit. All functionality is identical to the functionality provided by thepip-auditentrypoint (#173) -
CLI: The
--verboseflag has been added, allowing users to receive more more verbose output frompip-audit. Supplying the--verboseflag overrides thePIP_AUDIT_LOGLEVELenvironment variable and is equivalent to setting it todebug(#185)
- CLI:
pip-auditnow clears its spinner bar from the terminal upon completion, preventing visual confusion (#174)
-
Dependency sources: a crash caused by
platform.python_versionreturning an version string that couldn't be parsed as a PEP-440 version was fixed (#175) -
Dependency sources: a crash caused by incorrect assumptions about the structure of source distributions was fixed (#166)
-
Vulnerability sources: a performance issue on Windows caused by cache failures was fixed (#178)
1.0.1 - 2021-12-02
-
CLI: The
--descflag no longer requires a following argument. If passed as a bare option,--descis equivalent to--desc on(#153) -
Dependency resolution: The PyPI-based dependency resolver no longer throws an uncaught exception on package resolution errors; instead, the package is marked as skipped and an appropriate warning or fatal error (in
--strictmode) is produced (#162) -
CLI: When providing the
--cache-dirflag, the command to read the pip cache directory is no longer executed. Previously this was always executed and could result into failure when the command fails. In CI environments, the default~/.cachedirectory is typically not writable by the build user and this meant that thepython -m pip cache dirwould fail before this fix, even if the--cache-dirflag was provided. (#161)
1.0.0 - 2021-12-01
- This is the first stable release of
pip-audit! The CLI is considered stable from this point on, and all changes will comply with Semantic Versioning
0.0.9 - 2021-12-01
- CLI: Skipped dependencies are now listed in the output of
pip-audit, for supporting output formats (#145) - CLI:
pip-auditnow supports a "strict" mode (enabled with-Sor--strict) that fails if the audit if any individual dependency cannot be resolved or audited. The default behavior is still to skip any individual dependency errors (#146)