# Dependency Audits GovOPlaN keeps dependency vulnerability checks reproducible but separate from the fast local smoke suite, because both Python and npm audits need network metadata and can fail for newly disclosed advisories without a source change. ## Local Workflow Install the development audit dependency once: ```bash cd /mnt/DATA/git/govoplan-core ./.venv/bin/python -m pip install -r requirements-dev.txt ``` Run both backend and WebUI production audits: ```bash cd /mnt/DATA/git/govoplan-core bash scripts/check-dependency-audits.sh ``` The script runs: - `scripts/check-dependency-hygiene.sh` for pip resolver consistency, stale legacy editable package metadata, deprecated framework constants, and the Starlette `TestClient` deprecation smoke when test dependencies are present - `python -m pip_audit --progress-spinner off` - `npm audit --omit=dev` in `webui` For fast local checks without vulnerability metadata lookups, run: ```bash cd /mnt/DATA/git/govoplan-core CHECK_TESTCLIENT_DEPRECATIONS=1 bash scripts/check-dependency-hygiene.sh ``` This is also part of `scripts/check-focused.sh`, so resolver drift and deprecation regressions fail close to the code change that introduced them. Override tool paths when testing from a disposable environment: ```bash PYTHON=/tmp/govoplan-audit/bin/python \ NPM=/home/zemion/.nvm/versions/node/v22.22.3/bin/npm \ bash scripts/check-dependency-audits.sh ``` ## CI Workflow `.gitea/workflows/dependency-audit.yml` installs release dependencies from tagged package refs, installs `pip-audit`, and runs the same script on pushes, pull requests, and a weekly schedule. The workflow intentionally uses release dependency refs instead of local `file:` or editable sibling paths. Development lockfiles may keep local module links, but release audit results should represent the installable product. ## Recording Results When closing or triaging dependency-audit issues, add a short dated note under `docs/audits/`. Record: - the commands that were run - whether Python and npm passed - any advisories accepted as temporary risk - follow-up issue links for required upgrades