Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cli: support --fix --dry-run #223

Merged
merged 4 commits into from
Jan 18, 2022
Merged

cli: support --fix --dry-run #223

merged 4 commits into from
Jan 18, 2022

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Jan 14, 2022

WIP, needs testing.

Closes #220.

@woodruffw woodruffw added the component:cli CLI components label Jan 14, 2022
@woodruffw woodruffw self-assigned this Jan 14, 2022
We don't need this diff check.
@woodruffw
Copy link
Member Author

Example behavior:

$ pip-audit --fix --dry-run
INFO:pip_audit._cli:Dry run: would have upgraded PyYAML to 5.4
Found 2 known vulnerabilities in 1 package and fixed 0 vulnerabilities in 0 packages
Name   Version ID             Fix Versions
------ ------- -------------- ------------
pyyaml 5.3     PYSEC-2020-96  5.3.1
pyyaml 5.3     PYSEC-2021-142 5.4

@woodruffw woodruffw requested a review from di January 14, 2022 17:04
@woodruffw woodruffw requested a review from tetsuo-cpp January 14, 2022 18:16
@woodruffw woodruffw merged commit b5e2ac0 into main Jan 18, 2022
@woodruffw woodruffw deleted the ww/fix-dry-run branch January 18, 2022 23:58
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Feb 20, 2022
### Added

* CLI: The `--fix` flag has been added, allowing users to attempt to
  automatically upgrade any vulnerable dependencies to the first safe version
  available ([#212](pypa/pip-audit#212),
  [#222](pypa/pip-audit#222))

* CLI: The combination of `--fix` and `--dry-run` is now supported, causing
  `pip-audit` to perform the auditing step but not any resulting fix steps
  ([#223](pypa/pip-audit#223))

* CLI: The `--require-hashes` flag has been added which can be used in
  conjunction with `-r` to check that all requirements in the file have an
  associated hash ([#229](pypa/pip-audit#229))

* CLI: The `--index-url` flag has been added, allowing users to use custom
  package indices when running with the `-r` flag
  ([#238](pypa/pip-audit#238))

* CLI: The `--extra-index-url` flag has been added, allowing users to use
  multiple package indices when running with the `-r` flag
  ([#238](pypa/pip-audit#238))

### Changed

* `pip-audit`'s minimum Python version is now 3.7.

* CLI: The default output format is now correctly pluralized
  ([#221](pypa/pip-audit#221))

* Output formats: The SBOM output formats (`--format=cyclonedx-xml` and
  `--format=cyclonedx-json`) now use CycloneDX
  [Schema 1.4](https://cyclonedx.org/docs/1.4/xml/)
  ([#216](pypa/pip-audit#216))

* Vulnerability sources: When using PyPI as a vulnerability service, any hashes
  provided in a requirements file are checked against those reported by PyPI
  ([#229](pypa/pip-audit#229))

* Vulnerability sources: `pip-audit` now uniques each result based on its
  alias set, reducing the amount of duplicate information in the default
  columnar output format
  ([#232](pypa/pip-audit#232))

* CLI: `pip-audit` now prints its output more frequently, including when
  there are no discovered vulnerabilities but packages were skipped.
  Similarly, "manifest" output formats (JSON, CycloneDX) are now emitted
  unconditionally
  ([#240](pypa/pip-audit#240))

### Fixed

* CLI: A regression causing excess output during `pip audit -r`
  was fixed ([#226](pypa/pip-audit#226))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component:cli CLI components
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support --dry-run with the --fix flag
2 participants