fix(ci): scope pip-audit to shipped deps#42
Conversation
Addresses Codex review on PR #41: the no-argument pip_audit audited the entire runner environment including pip-audit's own dependencies, broader than the shipped dependency surface the gate claims to enforce.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5f1231d7a5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| run: | | ||
| pip install -e ".[server]" | ||
| python -m pip_audit | ||
| python -m pip_audit -r server/requirements.txt |
There was a problem hiding this comment.
This command now audits server/requirements.txt a second time instead of the environment populated by pip install -e ".[server]"; pip-audit documents -r REQUIREMENT as auditing the given requirements file, so the installed pyproject dependency surface is no longer checked. In this repo that skips shipped deps that are only in pyproject.toml (for example typer, rich, pyyaml, textual, mcp, and alembic), allowing vulnerabilities in those packages to pass the blocking workflow despite the step/comment saying pyproject core + [server] are covered.
Useful? React with 👍 / 👎.
Addresses second Codex review on PR #42: -r server/requirements.txt skipped pyproject deps (typer, rich, pyyaml, textual, mcp, alembic). pipx run pip-audit audits the installed .[server] environment (pyproject core + extra + requirements) while keeping pip-audit's own deps isolated. Confirmed clean locally.
2 participants
Addresses Codex review on PR #41: the no-argument pip_audit audited the entire runner environment including pip-audit's own dependencies, making the gate broader than the shipped dependency surface it claims to enforce. Scopes the audit to server/requirements.txt, which audits clean locally (No known vulnerabilities found).