fix: lock-check verifies consistency without forcing version upgrades#270
Merged
Conversation
Collaborator
|
but why are you doing both in a single commit? |
yuvalk
reviewed
May 29, 2026
yuvalk
reviewed
May 29, 2026
| python3.12 -m pip install pip-audit | ||
|
|
||
| - name: Scan agent dependencies | ||
| run: python3.12 -m pip_audit -r requirements-agent.txt |
Collaborator
There was a problem hiding this comment.
why not use make cve-scan? (which uses trivy
Collaborator
Author
There was a problem hiding this comment.
this run in a container right? that would require changes to run it easily. We can add that one too later if we see it fit (or replace it)
Collaborator
Author
yep, I'll split into 2 commits |
Add cp before each uv pip compile so --output-file uses pinned versions as preferences (verifies consistency without forcing version upgrades). Drop venv activation from the Makefile lock-check target so it works both locally and in CI, then replace the inline verification steps in ci.yml with a single make lock-check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add pip-audit as a dev dependency and a Makefile audit target for local dependency vulnerability scanning. Add a CI vulnerability-scan job that calls make audit to check agent, handler, and dev lock files for known CVEs (non-blocking, continue-on-error). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
yuvalk
approved these changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The CI lock-file-check and
make lock-checkwere resolving fresh dependency versions on every run, failing whenever a transitive dep released a new version even though the lock file was consistent with pyproject.toml. Fix by copying the existing lock file beforeuv pip compileso uv uses pinned versions as preferences. Also adds pip-audit for vulnerability scanning (non-blocking CI job +make audittarget).