This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch sbp
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/sbp by this push:
new 6de01e2 Focus pip-audit on the relevant dependencies
6de01e2 is described below
commit 6de01e2c58d329d5121f4470458c4e291e60d2fe
Author: Sean B. Palmer <[email protected]>
AuthorDate: Wed Feb 11 12:40:57 2026 +0000
Focus pip-audit on the relevant dependencies
---
.pre-commit-config.yaml | 12 +-
Makefile | 1 +
requirements-for-pip-audit.txt | 380 +++++++++++++++++++++++++++++++++++++++++
uv.lock | 8 +-
4 files changed, 394 insertions(+), 7 deletions(-)
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 8dc9134..ca7a27f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -100,10 +100,16 @@ repos:
rev: v2.10.0
hooks:
- id: pip-audit
- # TODO: remove when GitHub Actions has pip 26.0+
- args: ["--ignore-vuln", "CVE-2026-1703"]
+ args:
+ - '-r'
+ - 'requirements-for-pip-audit.txt'
+ - '--disable-pip'
+ - '--no-deps'
+ # TODO: Remove when #644 is complete
+ - '--ignore-vuln'
+ - 'CVE-2026-26007'
- repo: https://github.com/oxc-project/mirrors-oxlint
- rev: v1.43.0
+ rev: v1.46.0
hooks:
- id: oxlint
name: lint JS files with Oxlint
diff --git a/Makefile b/Makefile
index 7f61eab..e152b25 100644
--- a/Makefile
+++ b/Makefile
@@ -140,3 +140,4 @@ update-deps:
pre-commit autoupdate || :
uv lock --upgrade --exclude-newer "$$(date -u +%Y-%m-%dT%H:%M:%SZ)"
uv sync --frozen --all-groups
+ uv export --frozen --format requirements-txt --no-emit-project
--no-header --no-hashes > requirements-for-pip-audit.txt
diff --git a/requirements-for-pip-audit.txt b/requirements-for-pip-audit.txt
new file mode 100644
index 0000000..5733e22
--- /dev/null
+++ b/requirements-for-pip-audit.txt
@@ -0,0 +1,380 @@
+aiofiles==24.1.0
+ # via
+ # quart
+ # quart-uploads
+ # tooling-trusted-releases
+aiohappyeyeballs==2.6.1
+ # via aiohttp
+aiohttp==3.13.3
+ # via
+ # asfpy
+ # asfquart
+ # tooling-trusted-releases
+aioshutil==1.6
+ # via tooling-trusted-releases
+aiosignal==1.4.0
+ # via aiohttp
+aiosmtplib==4.0.2
+ # via tooling-trusted-releases
+aiosqlite==0.21.0
+ # via tooling-trusted-releases
+aiozipstream==0.4
+ # via tooling-trusted-releases
+alembic==1.18.4
+ # via tooling-trusted-releases
+annotated-types==0.7.0
+ # via pydantic
+anyio==4.12.1
+ # via watchfiles
+arrow==1.4.0
+ # via isoduration
+asfpy==0.56
+ # via asfquart
+asfquart @
git+https://github.com/apache/infrastructure-asfquart.git@99e3ec6523a02111ab9a0dd90467d124906ce398
+ # via tooling-trusted-releases
+asyncssh==2.22.0
+ # via tooling-trusted-releases
+attrs==25.4.0
+ # via
+ # aiohttp
+ # jsonschema
+ # referencing
+blake3==1.0.8
+ # via tooling-trusted-releases
+blinker==1.9.0
+ # via
+ # flask
+ # quart
+blockbuster==1.5.26
+ # via tooling-trusted-releases
+boolean-py==5.0
+ # via license-expression
+certifi==2026.1.4
+ # via requests
+cffi==1.17.1
+ # via
+ # asfpy
+ # cmarkgfm
+ # cryptography
+cfgv==3.5.0
+ # via pre-commit
+charset-normalizer==3.4.4
+ # via requests
+click==8.3.1
+ # via
+ # djlint
+ # flask
+ # quart
+cmarkgfm==2024.11.20
+ # via tooling-trusted-releases
+colorama==0.4.6
+ # via
+ # click
+ # djlint
+ # tqdm
+cryptography==44.0.3
+ # via
+ # asfpy
+ # asyncssh
+ # pgpy
+ # tooling-trusted-releases
+cssbeautifier==1.15.4
+ # via djlint
+cvss==3.6
+ # via tooling-trusted-releases
+cyclonedx-python-lib==11.6.0
+ # via tooling-trusted-releases
+decouple-types==1.0.2
+defusedxml==0.7.1
+ # via py-serializable
+distlib==0.4.0
+ # via virtualenv
+djlint==1.36.4
+dnspython==2.8.0
+ # via
+ # email-validator
+ # tooling-trusted-releases
+dulwich==1.0.0
+ # via tooling-trusted-releases
+dunamai==1.25.0
+ # via tooling-trusted-releases
+easydict==1.13
+ # via
+ # asfpy
+ # asfquart
+editorconfig==0.17.1
+ # via
+ # cssbeautifier
+ # jsbeautifier
+email-validator==2.2.0
+ # via tooling-trusted-releases
+ezt==1.1
+ # via
+ # asfpy
+ # asfquart
+filelock==3.20.3
+ # via virtualenv
+flask==3.1.2
+ # via quart
+forbiddenfruit==0.1.4 ; implementation_name == 'cpython'
+ # via blockbuster
+fqdn==1.5.1
+ # via jsonschema
+frozenlist==1.8.0
+ # via
+ # aiohttp
+ # aiosignal
+gitignore-parser==0.1.13
+ # via tooling-trusted-releases
+greenlet==3.3.1
+ # via
+ # sqlalchemy
+ # tooling-trusted-releases
+h11==0.16.0
+ # via
+ # hypercorn
+ # wsproto
+h2==4.3.0
+ # via hypercorn
+hpack==4.1.0
+ # via h2
+htpy==25.12.0
+ # via tooling-trusted-releases
+hypercorn==0.18.0
+ # via
+ # quart
+ # tooling-trusted-releases
+hyperframe==6.1.0
+ # via h2
+hyperscan==0.8.0
+ # via tooling-trusted-releases
+identify==2.6.16
+ # via pre-commit
+idna==3.11
+ # via
+ # anyio
+ # email-validator
+ # jsonschema
+ # requests
+ # yarl
+isoduration==20.11.0
+ # via jsonschema
+itsdangerous==2.2.0
+ # via
+ # flask
+ # quart
+jinja2==3.1.6
+ # via
+ # flask
+ # quart
+jsbeautifier==1.15.4
+ # via
+ # cssbeautifier
+ # djlint
+json5==0.13.0
+ # via djlint
+jsonpointer==3.0.0
+ # via jsonschema
+jsonschema==4.26.0
+ # via cyclonedx-python-lib
+jsonschema-specifications==2025.9.1
+ # via jsonschema
+lark==1.3.1
+ # via rfc3987-syntax
+ldap3==2.10.2rc2
+ # via tooling-trusted-releases
+license-expression==30.4.4
+ # via cyclonedx-python-lib
+mako==1.3.10
+ # via alembic
+markdown-it-py==4.0.0
+ # via rich
+markupsafe==3.0.3
+ # via
+ # flask
+ # htpy
+ # jinja2
+ # mako
+ # quart
+ # werkzeug
+ # wtforms
+mdurl==0.1.2
+ # via markdown-it-py
+multidict==6.7.1
+ # via
+ # aiohttp
+ # yarl
+nodeenv==1.10.0
+ # via
+ # pre-commit
+ # pyright
+packageurl-python==0.17.6
+ # via cyclonedx-python-lib
+packaging==26.0
+ # via
+ # dunamai
+ # tooling-trusted-releases
+pathspec==1.0.4
+ # via djlint
+pgpy==0.6.0
+ # via tooling-trusted-releases
+platformdirs==4.5.1
+ # via virtualenv
+pre-commit==4.5.1
+priority==2.0.0
+ # via hypercorn
+propcache==0.4.1
+ # via
+ # aiohttp
+ # yarl
+psutil==7.2.2
+ # via tooling-trusted-releases
+puremagic==1.30
+ # via tooling-trusted-releases
+py-serializable==2.1.0
+ # via cyclonedx-python-lib
+pyasn1==0.6.2
+ # via
+ # ldap3
+ # pgpy
+pycparser==3.0
+ # via cffi
+pycryptodomex==3.23.0
+ # via ldap3
+pydantic==2.12.5
+ # via
+ # pydantic-xml
+ # quart-schema
+ # sqlmodel
+pydantic-core==2.41.5
+ # via
+ # pydantic
+ # pydantic-xml
+pydantic-xml==2.18.0
+ # via tooling-trusted-releases
+pygments==2.19.2
+ # via rich
+pyhumps==3.8.0
+ # via quart-schema
+pyjwt==2.11.0
+ # via tooling-trusted-releases
+pyright==1.1.408
+python-dateutil==2.9.0.post0
+ # via
+ # arrow
+ # strictyaml
+python-decouple==3.8
+ # via tooling-trusted-releases
+python-gnupg==0.5.6
+ # via tooling-trusted-releases
+pyyaml==6.0.3
+ # via
+ # asfpy
+ # asfquart
+ # djlint
+ # pre-commit
+quart==0.20.0
+ # via
+ # asfquart
+ # quart-rate-limiter
+ # quart-schema
+ # quart-uploads
+ # quart-wtforms
+quart-rate-limiter==0.12.1
+ # via tooling-trusted-releases
+quart-schema==0.23.0
+ # via tooling-trusted-releases
+quart-uploads==0.0.4
+ # via quart-wtforms
+quart-wtforms==1.0.3
+ # via tooling-trusted-releases
+referencing==0.37.0
+ # via
+ # cyclonedx-python-lib
+ # jsonschema
+ # jsonschema-specifications
+regex==2026.1.15
+ # via djlint
+requests==2.32.5
+ # via asfpy
+rfc3339-validator==0.1.4
+ # via jsonschema
+rfc3986-validator==0.1.1
+ # via jsonschema
+rfc3987-syntax==1.1.0
+ # via jsonschema
+rich==14.0.0
+ # via tooling-trusted-releases
+rpds-py==0.30.0
+ # via
+ # jsonschema
+ # referencing
+ruff==0.15.0
+semver==3.0.4
+ # via tooling-trusted-releases
+six==1.17.0
+ # via
+ # cssbeautifier
+ # jsbeautifier
+ # python-dateutil
+ # rfc3339-validator
+sortedcontainers==2.4.0
+ # via cyclonedx-python-lib
+sqlalchemy==2.0.46
+ # via
+ # alembic
+ # sqlmodel
+sqlmodel==0.0.32
+ # via tooling-trusted-releases
+standard-imghdr==3.13.0
+ # via tooling-trusted-releases
+strictyaml==1.7.3
+ # via tooling-trusted-releases
+structlog==25.5.0
+ # via tooling-trusted-releases
+tqdm==4.67.3
+ # via djlint
+types-aiofiles==24.1.0.20250822
+ # via quart-uploads
+typing-extensions==4.15.0
+ # via
+ # aiosqlite
+ # alembic
+ # asyncssh
+ # pydantic
+ # pydantic-core
+ # pyright
+ # sqlalchemy
+ # typing-inspection
+typing-inspection==0.4.2
+ # via pydantic
+tzdata==2025.3
+ # via arrow
+uri-template==1.3.0
+ # via jsonschema
+urllib3==2.6.3
+ # via
+ # dulwich
+ # requests
+uvloop==0.22.1
+ # via hypercorn
+virtualenv==20.36.1
+ # via pre-commit
+watchfiles==1.1.1
+ # via
+ # asfpy
+ # asfquart
+webcolors==25.10.0
+ # via jsonschema
+werkzeug==3.1.5
+ # via
+ # flask
+ # quart
+wsproto==1.3.2
+ # via hypercorn
+wtforms==3.2.1
+ # via quart-wtforms
+yarl==1.22.0
+ # via aiohttp
+yyjson==4.0.6
+ # via tooling-trusted-releases
diff --git a/uv.lock b/uv.lock
index 01b4860..d25eb99 100644
--- a/uv.lock
+++ b/uv.lock
@@ -3,7 +3,7 @@ revision = 3
requires-python = "==3.13.*"
[options]
-exclude-newer = "2026-02-06T17:17:12Z"
+exclude-newer = "2026-02-11T12:36:19Z"
[[package]]
name = "aiofiles"
@@ -110,16 +110,16 @@ wheels = [
[[package]]
name = "alembic"
-version = "1.18.3"
+version = "1.18.4"
source = { registry = "https://pypi.org/simple"; }
dependencies = [
{ name = "mako" },
{ name = "sqlalchemy" },
{ name = "typing-extensions" },
]
-sdist = { url =
"https://files.pythonhosted.org/packages/79/41/ab8f624929847b49f84955c594b165855efd829b0c271e1a8cac694138e5/alembic-1.18.3.tar.gz";,
hash =
"sha256:1212aa3778626f2b0f0aa6dd4e99a5f99b94bd25a0c1ac0bba3be65e081e50b0", size
= 2052564, upload-time = "2026-01-29T20:24:15.124Z" }
+sdist = { url =
"https://files.pythonhosted.org/packages/94/13/8b084e0f2efb0275a1d534838844926f798bd766566b1375174e2448cd31/alembic-1.18.4.tar.gz";,
hash =
"sha256:cb6e1fd84b6174ab8dbb2329f86d631ba9559dd78df550b57804d607672cedbc", size
= 2056725, upload-time = "2026-02-10T16:00:47.195Z" }
wheels = [
- { url =
"https://files.pythonhosted.org/packages/45/8e/d79281f323e7469b060f15bd229e48d7cdd219559e67e71c013720a88340/alembic-1.18.3-py3-none-any.whl";,
hash =
"sha256:12a0359bfc068a4ecbb9b3b02cf77856033abfdb59e4a5aca08b7eacd7b74ddd", size
= 262282, upload-time = "2026-01-29T20:24:17.488Z" },
+ { url =
"https://files.pythonhosted.org/packages/d2/29/6533c317b74f707ea28f8d633734dbda2119bbadfc61b2f3640ba835d0f7/alembic-1.18.4-py3-none-any.whl";,
hash =
"sha256:a5ed4adcf6d8a4cb575f3d759f071b03cd6e5c7618eb796cb52497be25bfe19a", size
= 263893, upload-time = "2026-02-10T16:00:49.997Z" },
]
[[package]]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
