Pip Audit Versions Save

Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them

v2.5.4

1 year ago

Changed

  • Refactored index-url option to not override user pip config by default, unless specified (#565)

Fixed

  • Fixed bug with the --fix flag where new requirements were sometimes being appended to requirement files instead of patching the existing requirement (#577)

  • Fixed a crash caused by auditing requirements files that refer to other requirements files (#568)

v2.5.3

1 year ago

Changed

  • Further simplified pip-audit's dependency resolution to remove inconsistent behaviour when using hashed requirements or the --no-deps flag (#540)

Fixed

  • Fixed a crash caused by invalid UTF-8 sequences in subprocess outputs (#572)

v2.5.2

1 year ago

Fixed

  • Fixed a loose dependency constraint for CycloneDX SBOM generation (#558)

v2.5.1

1 year ago

Fixed

  • Fixed a crash on Windows caused by multiple open file handles to input requirements (#551)

v2.5.0

1 year ago

Changed

  • Improved error messaging when a requirements input or indirect dependency has an invalid (non-PEP 440) requirements specifier (#507)

  • pip-audit's handling of dependency resolution has been significantly refactored and simplified (#523)

Fixed

  • Fixed a potential crash on invalid unicode in subprocess streams (#536)

v2.4.15

1 year ago

Fixed

  • Fixed an issue where hash checking would fail when using third-party indices (#462)

  • Fixed the behavior of the --skip-editable flag, which had regressed with an internal API change (#499)

  • Fixed a dependency resolution bug that can potentially be triggered when multiple packages have the same subdependency (#488)

v2.4.14

1 year ago

Fixed

  • Fixed a dependency resolution failure caused by incorrect handling of a PEP 440 edge case around prerelease versions (#477)

v2.4.13

1 year ago

Fixed

  • Added a lower bound on packaging to ensure that non-normalized versions are handled correctly (#471)

v2.4.12

1 year ago

Fixed

  • Fixed pip-audit's virtual environment creation and upgrade behavior, preventing spurious vulnerability reports (#454)

  • Users are now warned if a pip-audit invocation is ambiguous, e.g. if they've installed pip-audit globally but are asking for an audit of a loaded virtual environment (#451)

v2.4.11

1 year ago

Fixed

  • Fixed a crash triggered when a package specifies an invalid version specifier for its requires-python version (#447)