Skip to content

TIMX 494 - pip audit and logging updates#142

Merged
ghukill merged 2 commits intomainfrom
TIMX-494-pip-audit-and-logging-updates
May 20, 2025
Merged

TIMX 494 - pip audit and logging updates#142
ghukill merged 2 commits intomainfrom
TIMX-494-pip-audit-and-logging-updates

Conversation

@ghukill
Copy link
Contributor

@ghukill ghukill commented May 20, 2025

Purpose and background context

Small PR to apply the new pip-audit changes and some small, convenience logging options.

How can a reviewer manually see the effects of these changes?

Not much to see! make lint should work now, and some small logging changes just to make locale development logging easier.

Includes new or updated dependencies?

YES

Changes expectations for external applications?

NO

What are the relevant tickets?

Developer

  • All new ENV is documented in README
  • All new ENV has been added to staging and production environments
  • All related Jira tickets are linked in commit message(s)
  • Stakeholder approval has been confirmed (or is not needed)

Code Reviewer(s)

  • The commit message is clear and follows our guidelines (not just this PR message)
  • There are appropriate tests covering any new functionality
  • The provided documentation is sufficient for understanding any new functionality introduced
  • Any manual tests have been performed or provided examples verified
  • New dependencies are appropriate or there were no changes

ghukill added 2 commits May 16, 2025 14:16
@ghukill
Replace pipenv check with pip-audit
5078b93 
Why these changes are being introduced:

As of pipenv 2025.0.1 the use of `pipenv check` would throw
an error, indicating that the library `safety` was not installed.
It worked to run `pipenv check --auto-install` which would
temporarily install `safety`, but this was not ideal for multiple
reasons.

First, we anticipate potentially moving away from `pipenv`.

Second, it appears that `safety` is moving to a pay / subscription
model.

Third, it remains a little obfuscated what `pipenv check` is actually
doing.

As this new situation affects all builds in Github Actions CI,
we need a way to scan for vulnerabilities that ideally is not
a massive overhaul of our vulnerability scanning approach.

How this addresses that need:

`pip-audit` is a nice standalone, open-source library that
performs very similar work to `safety`.

This commit replaces `pipenv check` (which was `safety` under
the hood) with `pip-audit`.

Side effects of this change:
* Builds will be successful in Github Actions

Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/IN-1240
@ghukill
Additional logging configurations
e47a210
@ghukill ghukill marked this pull request as ready for review May 20, 2025 15:19
@ghukill ghukill requested a review from a team May 20, 2025 15:19
@coveralls
Copy link

coveralls commented May 20, 2025

Pull Request Test Coverage Report for Build 15141417534

Details

  • 4 of 8 (50.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-1.8%) to 95.652%
Changes Missing Coverage Covered Lines Changed/Added Lines %
timdex_dataset_api/config.py 4 8 50.0%
Totals Coverage Status
Change from base Build 13465031645: -1.8%
Covered Lines: 198
Relevant Lines: 207
💛 - Coveralls

@jonavellecuerdo jonavellecuerdo self-assigned this May 20, 2025
@ghukill ghukill merged commit 3f97353 into main May 20, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonavellecuerdo jonavellecuerdo jonavellecuerdo approved these changes

Assignees

@jonavellecuerdo jonavellecuerdo

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ghukill @coveralls @jonavellecuerdo