From b516ee1c7a0839b9e383689fa727383c954b0ef9 Mon Sep 17 00:00:00 2001 From: zemion Date: Thu, 9 Jul 2026 13:18:45 +0200 Subject: [PATCH] Sync Repo-docs-DEPENDENCY-AUDITS from project files --- Repo-docs-DEPENDENCY-AUDITS.-.md | 61 ++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 Repo-docs-DEPENDENCY-AUDITS.-.md diff --git a/Repo-docs-DEPENDENCY-AUDITS.-.md b/Repo-docs-DEPENDENCY-AUDITS.-.md new file mode 100644 index 0000000..fbb1212 --- /dev/null +++ b/Repo-docs-DEPENDENCY-AUDITS.-.md @@ -0,0 +1,61 @@ + + +> Mirrored from `/mnt/DATA/git/govoplan-core/docs/DEPENDENCY_AUDITS.md`. +> Origin: `repository`. +> Active tasks and changing state belong in Gitea issues; this wiki page is durable project context. + +--- +# Dependency Audits + +GovOPlaN keeps dependency vulnerability checks reproducible but separate from +the fast local smoke suite, because both Python and npm audits need network +metadata and can fail for newly disclosed advisories without a source change. + +## Local Workflow + +Install the development audit dependency once: + +```bash +cd /mnt/DATA/git/govoplan-core +./.venv/bin/python -m pip install -r requirements-dev.txt +``` + +Run both backend and WebUI production audits: + +```bash +cd /mnt/DATA/git/govoplan-core +scripts/check-dependency-audits.sh +``` + +The script runs: + +- `python -m pip_audit --progress-spinner off` +- `npm audit --omit=dev` in `webui` + +Override tool paths when testing from a disposable environment: + +```bash +PYTHON=/tmp/govoplan-audit/bin/python \ +NPM=/home/zemion/.nvm/versions/node/v22.22.3/bin/npm \ +scripts/check-dependency-audits.sh +``` + +## CI Workflow + +`.gitea/workflows/dependency-audit.yml` installs release dependencies from +tagged package refs, installs `pip-audit`, and runs the same script on pushes, +pull requests, and a weekly schedule. + +The workflow intentionally uses release dependency refs instead of local +`file:` or editable sibling paths. Development lockfiles may keep local module +links, but release audit results should represent the installable product. + +## Recording Results + +When closing or triaging dependency-audit issues, add a short dated note under +`docs/audits/`. Record: + +- the commands that were run +- whether Python and npm passed +- any advisories accepted as temporary risk +- follow-up issue links for required upgrades