uv audit

.github/workflows/ci.yml

@@ -114,7 +114,7 @@ jobs:
         id: setup-python
         with:
           python-version: ${{ matrix.py-version.semantic }}
-      - name: Run pip-audit
+      - name: Run uv audit
         run: |
           pip install tox-uv
           tox -e audit-${{ matrix.py-version.tox }}

.github/workflows/regular.yml

@@ -104,7 +104,7 @@ jobs:
         id: setup-python
         with:
           python-version: ${{ matrix.py-version.semantic }}
-      - name: Run pip-audit
+      - name: Run uv audit
         run: |
           pip install tox-uv
           tox -e audit-${{ matrix.py-version.tox }}

CHANGELOG.md

@@ -14,6 +14,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   for determining the Pareto front
 - Interpoint constraints for continuous search spaces
 
+### Changed
+- Switched from `pip-audit` to `uv audit`, checking only direct dependencies
+
 ### Breaking Changes
 - `ContinuousLinearConstraint.to_botorch` now returns a collection of constraint tuples
   instead of a single tuple (needed for interpoint constraints)

CONTRIBUTING.md

@@ -117,7 +117,7 @@ If you have questions or problems, simply ask for advice.
 | [pytest](https://docs.pytest.org/)                                                              | testing                                   |
 | [pytest-cov](https://pytest-cov.readthedocs.io/)                                                | measuring test coverage                   |
 | [sphinx](https://www.sphinx-doc.org/)                                                           | generating our documentation              |
-| [pip-audit](https://github.com/pypa/pip-audit)                                                  | detecting vulnerabilities in dependencies |
+| [uv audit](https://docs.astral.sh/uv/reference/cli/#uv-audit)                                   | detecting vulnerabilities in dependencies |
 | [tox](https://tox.wiki/)                                                                        | orchestrating all the above               |
 
 Executing a specific one of these tools is easiest by using the corresponding

pyproject.toml

@@ -54,10 +54,6 @@ Issues = "https://github.com/emdgroup/baybe/issues/"
 # DEV TOOLS NOTE: The versions of all dev tools should be consistent everywhere
 # (pre-commit, environment.yml, requirements.txt, pyproject.toml, ...)
 
-# AUDIT NOTE: The marked packages are secondary dependencies but their versions are
-# set explicitly because the otherwise installed default versions have been flagged
-# for vulnerabilities by pip-audit
-
 [project.optional-dependencies]
 extras = [
     "baybe[chem]",
@@ -80,7 +76,6 @@ chem = [
 # for onnxruntime to <1.24 for Python 3.10.
 # See https://github.com/microsoft/onnxruntime/pull/27354 for more details.
 onnx = [
-    "onnx>=1.16.0", # see AUDIT NOTE, required by skl2onnx
     "onnxruntime>=1.15.1,<1.24; python_version < '3.11'",
     "onnxruntime>=1.15.1; python_version >= '3.11'",   
     "skl2onnx>=1.19.1",
@@ -93,7 +88,6 @@ dev = [
     "baybe[mypy]",
     "baybe[test]",
     "baybe[benchmarking]",
-    "pip-audit>=2.5.5",
     "setuptools-scm>=7.1.0",
     "tox-uv>=1.7.0",
     "uv>=0.11.3",
@@ -122,11 +116,9 @@ examples = [
     "baybe[extras]",
     "matplotlib>=3.7.3,!=3.9.1",
     "openpyxl>=3.0.9",
-    "pillow>=10.0.1", # Necessary due to vulnerability
     "plotly>=5.10.0",
     "seaborn>=0.12.2",
-    "streamlit>=1.37.0", # Necessary due to vulnerability
-    "tornado>=6.3.3", # see AUDIT NOTE, required by streamlit
+    "streamlit>=1.37.0",
 ]
 
 lint = [

tools/audit.py

@@ -0,0 +1,194 @@
+"""Wrapper around ``uv audit`` that only fails on direct dependency vulnerabilities.
+
+This script runs ``uv audit`` with any extra arguments forwarded, parses its output
+to determine which packages are flagged, and cross-references them against the
+project's direct dependencies (from ``pyproject.toml``). The output is reorganized
+into clearly separated sections for direct vs. transitive vulnerabilities, and the
+exit code only reflects whether *direct* dependencies are affected.
+"""
+
+from __future__ import annotations
+
+import re
+import subprocess
+import sys
+from pathlib import Path
+
+try:
+    import tomllib
+except ModuleNotFoundError:  # Python < 3.11
+    import tomli as tomllib  # type: ignore[no-redef]
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+# PEP 503 normalization: lowercase, runs of [-_.] become a single dash
+_NORMALIZE_RE = re.compile(r"[-_.]+")
+
+
+def _normalize(name: str) -> str:
+    return _NORMALIZE_RE.sub("-", name).lower()
+
+
+def _extract_package_name(spec: str) -> str:
+    """Return the bare package name from a PEP 508 dependency string."""
+    return re.split(r"[\[><=!~;\s]", spec, maxsplit=1)[0].strip()
+
+
+def _get_direct_dependencies(pyproject_path: Path) -> set[str]:
+    """Collect all direct dependency names from ``pyproject.toml``.
+
+    This includes core ``dependencies`` as well as every entry listed under
+    ``[project.optional-dependencies]``.  Self-references (e.g. ``baybe[chem]``)
+    are excluded.
+    """
+    with open(pyproject_path, "rb") as f:
+        data = tomllib.load(f)
+
+    project = data.get("project", {})
+    project_name = _normalize(project.get("name", ""))
+
+    deps: set[str] = set()
+
+    # Core dependencies
+    for spec in project.get("dependencies", []):
+        name = _normalize(_extract_package_name(spec))
+        if name != project_name:
+            deps.add(name)
+
+    # Optional dependencies (all extras)
+    for group_deps in project.get("optional-dependencies", {}).values():
+        for spec in group_deps:
+            name = _normalize(_extract_package_name(spec))
+            if name != project_name:
+                deps.add(name)
+
+    return deps
+
+
+# Regex matching the header line for each vulnerable package in ``uv audit``
+# output, e.g. ``requests 2.32.5 has 1 known vulnerability:``
+_VULN_HEADER_RE = re.compile(
+    r"^(\S+)\s+\S+\s+has\s+\d+\s+known\s+vulnerabilit", re.MULTILINE
+)
+
+
+def _parse_vulnerability_blocks(output: str) -> list[tuple[str, str]]:
+    """Parse ``uv audit`` output into (package_name, block_text) pairs.
+
+    Each block starts with a header like ``requests 2.32.5 has 1 known
+    vulnerability:`` and includes all subsequent lines until the next header
+    or end of output.
+    """
+    # Find all header positions
+    headers = list(_VULN_HEADER_RE.finditer(output))
+    if not headers:
+        return []
+
+    blocks: list[tuple[str, str]] = []
+    for i, match in enumerate(headers):
+        start = match.start()
+        end = headers[i + 1].start() if i + 1 < len(headers) else len(output)
+        pkg_name = _normalize(match.group(1))
+        block_text = output[start:end].rstrip()
+        blocks.append((pkg_name, block_text))
+
+    return blocks
+
+
+def _count_vulns(blocks: list[tuple[str, str]]) -> int:
+    """Count the total number of individual vulnerabilities across blocks."""
+    total = 0
+    for _, text in blocks:
+        # Each vulnerability entry starts with "- GHSA-" or "- CVE-" etc.
+        total += len(re.findall(r"^- \S+", text, re.MULTILINE))
+    return total
+
+
+# ---------------------------------------------------------------------------
+# Main
+# ---------------------------------------------------------------------------
+
+_SEPARATOR = "=" * 72
+
+
+def main() -> int:
+    """Run ``uv audit`` and only fail on direct dependency vulnerabilities."""
+    # Locate pyproject.toml relative to this script (repo root)
+    repo_root = Path(__file__).resolve().parent.parent
+    pyproject_path = repo_root / "pyproject.toml"
+
+    if not pyproject_path.exists():
+        print(f"ERROR: {pyproject_path} not found", file=sys.stderr)
+        return 1
+
+    direct_deps = _get_direct_dependencies(pyproject_path)
+
+    # Run uv audit, forwarding any extra CLI arguments (e.g. --ignore-until-fixed)
+    result = subprocess.run(
+        ["uv", "audit", *sys.argv[1:]],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+
+    # Forward stderr (warnings, progress, etc.)
+    if result.stderr:
+        print(result.stderr, end="", file=sys.stderr)
+
+    # If uv audit passed, we pass too
+    if result.returncode == 0:
+        if result.stdout:
+            print(result.stdout, end="")
+        return 0
+
+    # Parse vulnerability blocks and classify them
+    blocks = _parse_vulnerability_blocks(result.stdout)
+    direct_blocks = [(name, text) for name, text in blocks if name in direct_deps]
+    transitive_blocks = [
+        (name, text) for name, text in blocks if name not in direct_deps
+    ]
+
+    n_direct = _count_vulns(direct_blocks)
+    n_transitive = _count_vulns(transitive_blocks)
+
+    # Print transitive vulnerabilities (informational)
+    if transitive_blocks:
+        print(_SEPARATOR)
+        names = ", ".join(sorted({n for n, _ in transitive_blocks}))
+        print(
+            f"TRANSITIVE dependency vulnerabilities ({n_transitive} total, "
+            f"not causing failure): {names}"
+        )
+        print(_SEPARATOR)
+        for _, text in transitive_blocks:
+            print()
+            print(text)
+        print()
+
+    # Print direct vulnerabilities (these cause failure)
+    if direct_blocks:
+        print(_SEPARATOR)
+        names = ", ".join(sorted({n for n, _ in direct_blocks}))
+        print(
+            f"DIRECT dependency vulnerabilities ({n_direct} total, "
+            f"CAUSING FAILURE): {names}"
+        )
+        print(_SEPARATOR)
+        for _, text in direct_blocks:
+            print()
+            print(text)
+        print()
+        return 1
+
+    print(_SEPARATOR)
+    print(
+        f"All {n_transitive} vulnerabilities are in transitive dependencies -- passing."
+    )
+    print(_SEPARATOR)
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

tox.ini

@@ -66,25 +66,24 @@ commands =
     mypy
 
 [testenv:audit,audit-py{310,311,312,313}]
-description = Run pip-audit
-extras = dev # audit entire environment
+description = Run uv audit (only direct dependency vulnerabilities cause failure)
+extras = dev  # audit entire environment
 setenv =
-    # Add pip-audit exceptions here, like:
-    # EXCLUDES=--ignore-vuln EXCEPTION_ID1 --ignore-vuln EXCEPTION_ID2 ...
+    # Add uv audit exceptions here, like:
+    # EXCLUDES=--ignore-until-fixed EXCEPTION_ID1 --ignore-until-fixed EXCEPTION_ID2 ...
 commands =
     python --version
-    pip-audit {env:EXCLUDES:}
+    python tools/audit.py {env:EXCLUDES:}
 
 # This is separated from the other audit block because in 3.14 only core deps are tested
 [testenv:audit-py314]
-description = Run pip-audit
-deps = pip-audit
+description = Run uv audit (only direct dependency vulnerabilities cause failure)
 setenv =
-    # Add pip-audit exceptions here, like:
-    # EXCLUDES=--ignore-vuln EXCEPTION_ID1 --ignore-vuln EXCEPTION_ID2 ...
+    # Add uv audit exceptions here, like:
+    # EXCLUDES=--ignore-until-fixed EXCEPTION_ID1 --ignore-until-fixed EXCEPTION_ID2 ...
 commands =
     python --version
-    pip-audit {env:EXCLUDES:}
+    python tools/audit.py {env:EXCLUDES:}
 
 [testenv:docs-py310]
 description = Build documentation, passing posargs to control what should be built