Table of Contents
Mirrored from
/mnt/DATA/git/govoplan-core/docs/DEPENDENCY_AUDITS.md. Origin:repository. Active tasks and changing state belong in Gitea issues; this wiki page is durable project context.
Dependency Audits
GovOPlaN keeps dependency vulnerability checks reproducible but separate from the fast local smoke suite, because both Python and npm audits need network metadata and can fail for newly disclosed advisories without a source change.
Local Workflow
Install the development audit dependency once:
cd /mnt/DATA/git/govoplan-core
./.venv/bin/python -m pip install -r requirements-dev.txt
Run both backend and WebUI production audits:
cd /mnt/DATA/git/govoplan-core
bash scripts/check-dependency-audits.sh
The script runs:
scripts/check-dependency-hygiene.shfor pip resolver consistency, stale legacy editable package metadata, deprecated framework constants, and the StarletteTestClientdeprecation smoke when test dependencies are presentpython -m pip_audit --progress-spinner offnpm audit --omit=devinwebui
For fast local checks without vulnerability metadata lookups, run:
cd /mnt/DATA/git/govoplan-core
CHECK_TESTCLIENT_DEPRECATIONS=1 bash scripts/check-dependency-hygiene.sh
This is also part of scripts/check-focused.sh, so resolver drift and
deprecation regressions fail close to the code change that introduced them.
Override tool paths when testing from a disposable environment:
PYTHON=/tmp/govoplan-audit/bin/python \
NPM=/home/zemion/.nvm/versions/node/v22.22.3/bin/npm \
bash scripts/check-dependency-audits.sh
CI Workflow
.gitea/workflows/dependency-audit.yml installs release dependencies from
tagged package refs, installs pip-audit, and runs the same script on pushes,
pull requests, and a weekly schedule.
The workflow intentionally uses release dependency refs instead of local
file: or editable sibling paths. Development lockfiles may keep local module
links, but release audit results should represent the installable product.
Recording Results
When closing or triaging dependency-audit issues, add a short dated note under
docs/audits/. Record:
- the commands that were run
- whether Python and npm passed
- any advisories accepted as temporary risk
- follow-up issue links for required upgrades