chore: consolidate platform split checks
This commit is contained in:
67
docs/DEPENDENCY_AUDITS.md
Normal file
67
docs/DEPENDENCY_AUDITS.md
Normal file
@@ -0,0 +1,67 @@
|
||||
# Dependency Audits
|
||||
|
||||
GovOPlaN keeps dependency vulnerability checks reproducible but separate from
|
||||
the fast local smoke suite, because both Python and npm audits need network
|
||||
metadata and can fail for newly disclosed advisories without a source change.
|
||||
|
||||
## Local Workflow
|
||||
|
||||
Install the development audit dependency once:
|
||||
|
||||
```bash
|
||||
cd /mnt/DATA/git/govoplan-core
|
||||
./.venv/bin/python -m pip install -r requirements-dev.txt
|
||||
```
|
||||
|
||||
Run both backend and WebUI production audits:
|
||||
|
||||
```bash
|
||||
cd /mnt/DATA/git/govoplan-core
|
||||
bash scripts/check-dependency-audits.sh
|
||||
```
|
||||
|
||||
The script runs:
|
||||
|
||||
- `scripts/check-dependency-hygiene.sh` for pip resolver consistency, stale
|
||||
legacy editable package metadata, deprecated framework constants, and the
|
||||
Starlette `TestClient` deprecation smoke when test dependencies are present
|
||||
- `python -m pip_audit --progress-spinner off`
|
||||
- `npm audit --omit=dev` in `webui`
|
||||
|
||||
For fast local checks without vulnerability metadata lookups, run:
|
||||
|
||||
```bash
|
||||
cd /mnt/DATA/git/govoplan-core
|
||||
CHECK_TESTCLIENT_DEPRECATIONS=1 bash scripts/check-dependency-hygiene.sh
|
||||
```
|
||||
|
||||
This is also part of `scripts/check-focused.sh`, so resolver drift and
|
||||
deprecation regressions fail close to the code change that introduced them.
|
||||
|
||||
Override tool paths when testing from a disposable environment:
|
||||
|
||||
```bash
|
||||
PYTHON=/tmp/govoplan-audit/bin/python \
|
||||
NPM=/home/zemion/.nvm/versions/node/v22.22.3/bin/npm \
|
||||
bash scripts/check-dependency-audits.sh
|
||||
```
|
||||
|
||||
## CI Workflow
|
||||
|
||||
`.gitea/workflows/dependency-audit.yml` installs release dependencies from
|
||||
tagged package refs, installs `pip-audit`, and runs the same script on pushes,
|
||||
pull requests, and a weekly schedule.
|
||||
|
||||
The workflow intentionally uses release dependency refs instead of local
|
||||
`file:` or editable sibling paths. Development lockfiles may keep local module
|
||||
links, but release audit results should represent the installable product.
|
||||
|
||||
## Recording Results
|
||||
|
||||
When closing or triaging dependency-audit issues, add a short dated note under
|
||||
`docs/audits/`. Record:
|
||||
|
||||
- the commands that were run
|
||||
- whether Python and npm passed
|
||||
- any advisories accepted as temporary risk
|
||||
- follow-up issue links for required upgrades
|
||||
Reference in New Issue
Block a user