71 lines
2.2 KiB
Markdown
71 lines
2.2 KiB
Markdown
# Dependency Audits
|
|
|
|
GovOPlaN keeps dependency vulnerability checks reproducible but separate from
|
|
the fast local smoke suite, because both Python and npm audits need network
|
|
metadata and can fail for newly disclosed advisories without a source change.
|
|
|
|
## Local Workflow
|
|
|
|
Install the whole-product development dependencies once from the meta
|
|
repository:
|
|
|
|
```bash
|
|
cd /mnt/DATA/git/govoplan
|
|
./.venv/bin/python -m pip install -r requirements-dev.txt
|
|
```
|
|
|
|
Run both backend and WebUI production audits:
|
|
|
|
```bash
|
|
cd /mnt/DATA/git/govoplan
|
|
bash tools/checks/check-dependency-audits.sh
|
|
```
|
|
|
|
The script runs:
|
|
|
|
- `tools/checks/check-dependency-hygiene.sh` for pip resolver consistency, stale
|
|
legacy editable package metadata, deprecated framework constants, and the
|
|
Starlette `TestClient` deprecation smoke when test dependencies are present
|
|
- `python -m pip_audit --progress-spinner off`
|
|
- `npm audit --omit=dev` in `webui`
|
|
|
|
For fast local checks without vulnerability metadata lookups, run:
|
|
|
|
```bash
|
|
cd /mnt/DATA/git/govoplan
|
|
CHECK_TESTCLIENT_DEPRECATIONS=1 \
|
|
bash tools/checks/check-dependency-hygiene.sh
|
|
```
|
|
|
|
This is also part of `govoplan/tools/checks/check-focused.sh`, so resolver drift and
|
|
deprecation regressions fail close to the code change that introduced them.
|
|
|
|
Override tool paths when testing from a disposable environment:
|
|
|
|
```bash
|
|
PYTHON=/tmp/govoplan-audit/bin/python \
|
|
NPM=/home/zemion/.nvm/versions/node/v22.22.3/bin/npm \
|
|
GOVOPLAN_CORE_ROOT=/mnt/DATA/git/govoplan-core \
|
|
bash /mnt/DATA/git/govoplan/tools/checks/check-dependency-audits.sh
|
|
```
|
|
|
|
## CI Workflow
|
|
|
|
`govoplan/.gitea/workflows/dependency-audit.yml` installs release dependencies from
|
|
tagged package refs, installs `pip-audit`, and runs the same script on pushes,
|
|
pull requests, and a weekly schedule.
|
|
|
|
The workflow intentionally uses release dependency refs instead of local
|
|
`file:` or editable sibling paths. Development lockfiles may keep local module
|
|
links, but release audit results should represent the installable product.
|
|
|
|
## Recording Results
|
|
|
|
When closing or triaging dependency-audit issues, add a short dated note under
|
|
`docs/audits/`. Record:
|
|
|
|
- the commands that were run
|
|
- whether Python and npm passed
|
|
- any advisories accepted as temporary risk
|
|
- follow-up issue links for required upgrades
|