MITLibraries / alma-creditcardslips

100%

LAST BUILD ON BRANCH main

branch: SELECT

CHANGE BRANCH

x

Sync Branches

• No branch selected
• IN-1065-maintenance-09-2024
• IN-1127-empty-string-funds
• IN-1255-pip-audit
• IN-735
• INFRA-439-vendor-name
• dependabot-update
• dependabot/docker/python-3.12-slim
• dependabot/pip/authlib-1.3.1
• dependabot/pip/bandit-1.7.5
• dependabot/pip/boto3-1.26.100
• dependabot/pip/boto3-1.26.101
• dependabot/pip/boto3-1.26.102
• dependabot/pip/boto3-1.26.103
• dependabot/pip/boto3-1.26.104
• dependabot/pip/boto3-1.26.105
• dependabot/pip/boto3-1.26.106
• dependabot/pip/boto3-1.26.107
• dependabot/pip/boto3-1.26.108
• dependabot/pip/boto3-1.26.109
• dependabot/pip/boto3-1.26.110
• dependabot/pip/boto3-1.26.111
• dependabot/pip/boto3-1.26.112
• dependabot/pip/boto3-1.26.113
• dependabot/pip/boto3-1.26.114
• dependabot/pip/boto3-1.26.115
• dependabot/pip/boto3-1.26.116
• dependabot/pip/boto3-1.26.117
• dependabot/pip/boto3-1.26.118
• dependabot/pip/boto3-1.26.119
• dependabot/pip/boto3-1.26.120
• dependabot/pip/boto3-1.26.121
• dependabot/pip/boto3-1.26.122
• dependabot/pip/boto3-1.26.123
• dependabot/pip/boto3-1.26.124
• dependabot/pip/boto3-1.26.125
• dependabot/pip/boto3-1.26.126
• dependabot/pip/boto3-1.26.127
• dependabot/pip/boto3-1.26.129
• dependabot/pip/boto3-1.26.133
• dependabot/pip/boto3-1.26.137
• dependabot/pip/boto3-1.26.142
• dependabot/pip/boto3-1.26.146
• dependabot/pip/boto3-1.26.151
• dependabot/pip/boto3-1.26.155
• dependabot/pip/boto3-1.26.160
• dependabot/pip/boto3-1.26.165
• dependabot/pip/boto3-1.26.79
• dependabot/pip/boto3-1.26.80
• dependabot/pip/boto3-1.26.81
• dependabot/pip/boto3-1.26.82
• dependabot/pip/boto3-1.26.83
• dependabot/pip/boto3-1.26.84
• dependabot/pip/boto3-1.26.85
• dependabot/pip/boto3-1.26.86
• dependabot/pip/boto3-1.26.87
• dependabot/pip/boto3-1.26.88
• dependabot/pip/boto3-1.26.90
• dependabot/pip/boto3-1.26.91
• dependabot/pip/boto3-1.26.92
• dependabot/pip/boto3-1.26.93
• dependabot/pip/boto3-1.26.94
• dependabot/pip/boto3-1.26.95
• dependabot/pip/boto3-1.26.96
• dependabot/pip/boto3-1.26.97
• dependabot/pip/boto3-1.26.98
• dependabot/pip/boto3-1.26.99
• dependabot/pip/boto3-1.28.1
• dependabot/pip/boto3-1.28.15
• dependabot/pip/boto3-1.28.3
• dependabot/pip/boto3-1.28.62
• dependabot/pip/boto3-1.28.63
• dependabot/pip/boto3-1.28.65
• dependabot/pip/boto3-1.28.66
• dependabot/pip/boto3-1.28.68
• dependabot/pip/boto3-1.28.73
• dependabot/pip/boto3-1.28.78
• dependabot/pip/boto3-1.28.84
• dependabot/pip/boto3-1.28.9
• dependabot/pip/boto3-1.29.3
• dependabot/pip/boto3-1.29.6
• dependabot/pip/boto3-1.33.6
• dependabot/pip/boto3-1.33.9
• dependabot/pip/boto3-1.34.108
• dependabot/pip/boto3-1.34.11
• dependabot/pip/boto3-1.34.113
• dependabot/pip/boto3-1.34.117
• dependabot/pip/boto3-1.34.122
• dependabot/pip/boto3-1.34.127
• dependabot/pip/boto3-1.34.131
• dependabot/pip/boto3-1.34.136
• dependabot/pip/boto3-1.34.14
• dependabot/pip/boto3-1.34.140
• dependabot/pip/boto3-1.34.144
• dependabot/pip/boto3-1.34.145
• dependabot/pip/boto3-1.34.149
• dependabot/pip/boto3-1.34.153
• dependabot/pip/boto3-1.34.158
• dependabot/pip/boto3-1.34.19
• dependabot/pip/boto3-1.34.2
• dependabot/pip/boto3-1.34.7
• dependabot/pip/boto3-stubs-1.26.100
• dependabot/pip/boto3-stubs-1.26.101
• dependabot/pip/boto3-stubs-1.26.102
• dependabot/pip/boto3-stubs-1.26.103.post1
• dependabot/pip/boto3-stubs-1.26.104
• dependabot/pip/boto3-stubs-1.26.105
• dependabot/pip/boto3-stubs-1.26.106
• dependabot/pip/boto3-stubs-1.26.107
• dependabot/pip/boto3-stubs-1.26.108
• dependabot/pip/boto3-stubs-1.26.109
• dependabot/pip/boto3-stubs-1.26.110
• dependabot/pip/boto3-stubs-1.26.111
• dependabot/pip/boto3-stubs-1.26.112
• dependabot/pip/boto3-stubs-1.26.113
• dependabot/pip/boto3-stubs-1.26.114
• dependabot/pip/boto3-stubs-1.26.115
• dependabot/pip/boto3-stubs-1.26.116
• dependabot/pip/boto3-stubs-1.26.117
• dependabot/pip/boto3-stubs-1.26.118
• dependabot/pip/boto3-stubs-1.26.119
• dependabot/pip/boto3-stubs-1.26.120
• dependabot/pip/boto3-stubs-1.26.121
• dependabot/pip/boto3-stubs-1.26.122
• dependabot/pip/boto3-stubs-1.26.123
• dependabot/pip/boto3-stubs-1.26.124
• dependabot/pip/boto3-stubs-1.26.125
• dependabot/pip/boto3-stubs-1.26.126
• dependabot/pip/boto3-stubs-1.26.127
• dependabot/pip/boto3-stubs-1.26.129
• dependabot/pip/boto3-stubs-1.26.133
• dependabot/pip/boto3-stubs-1.26.137
• dependabot/pip/boto3-stubs-1.26.142
• dependabot/pip/boto3-stubs-1.26.146
• dependabot/pip/boto3-stubs-1.26.151
• dependabot/pip/boto3-stubs-1.26.155
• dependabot/pip/boto3-stubs-1.26.160
• dependabot/pip/boto3-stubs-1.26.165
• dependabot/pip/boto3-stubs-1.26.79
• dependabot/pip/boto3-stubs-1.26.80
• dependabot/pip/boto3-stubs-1.26.81
• dependabot/pip/boto3-stubs-1.26.82
• dependabot/pip/boto3-stubs-1.26.83
• dependabot/pip/boto3-stubs-1.26.84
• dependabot/pip/boto3-stubs-1.26.85
• dependabot/pip/boto3-stubs-1.26.86
• dependabot/pip/boto3-stubs-1.26.87
• dependabot/pip/boto3-stubs-1.26.88
• dependabot/pip/boto3-stubs-1.26.90
• dependabot/pip/boto3-stubs-1.26.91
• dependabot/pip/boto3-stubs-1.26.92
• dependabot/pip/boto3-stubs-1.26.93
• dependabot/pip/boto3-stubs-1.26.94
• dependabot/pip/boto3-stubs-1.26.95
• dependabot/pip/boto3-stubs-1.26.96
• dependabot/pip/boto3-stubs-1.26.97.post1
• dependabot/pip/boto3-stubs-1.26.98
• dependabot/pip/boto3-stubs-1.26.99
• dependabot/pip/boto3-stubs-1.28.1
• dependabot/pip/boto3-stubs-1.28.15.post1
• dependabot/pip/boto3-stubs-1.28.3.post2
• dependabot/pip/boto3-stubs-1.28.62
• dependabot/pip/boto3-stubs-1.28.63
• dependabot/pip/boto3-stubs-1.28.65
• dependabot/pip/boto3-stubs-1.28.66
• dependabot/pip/boto3-stubs-1.28.68
• dependabot/pip/boto3-stubs-1.28.73
• dependabot/pip/boto3-stubs-1.28.78
• dependabot/pip/boto3-stubs-1.28.84
• dependabot/pip/boto3-stubs-1.28.9
• dependabot/pip/boto3-stubs-1.29.3
• dependabot/pip/boto3-stubs-1.29.6
• dependabot/pip/boto3-stubs-1.33.6
• dependabot/pip/boto3-stubs-1.33.9
• dependabot/pip/boto3-stubs-1.34.108
• dependabot/pip/boto3-stubs-1.34.11
• dependabot/pip/boto3-stubs-1.34.113
• dependabot/pip/boto3-stubs-1.34.117
• dependabot/pip/boto3-stubs-1.34.122
• dependabot/pip/boto3-stubs-1.34.127
• dependabot/pip/boto3-stubs-1.34.131
• dependabot/pip/boto3-stubs-1.34.136
• dependabot/pip/boto3-stubs-1.34.14
• dependabot/pip/boto3-stubs-1.34.140
• dependabot/pip/boto3-stubs-1.34.144
• dependabot/pip/boto3-stubs-1.34.145
• dependabot/pip/boto3-stubs-1.34.149
• dependabot/pip/boto3-stubs-1.34.153
• dependabot/pip/boto3-stubs-1.34.158
• dependabot/pip/boto3-stubs-1.34.19
• dependabot/pip/boto3-stubs-1.34.2
• dependabot/pip/boto3-stubs-1.34.7
• dependabot/pip/certifi-2023.7.22
• dependabot/pip/certifi-2024.7.4
• dependabot/pip/coveralls-4.0.1
• dependabot/pip/cryptography-41.0.0
• dependabot/pip/cryptography-41.0.2
• dependabot/pip/cryptography-41.0.3
• dependabot/pip/cryptography-41.0.6
• dependabot/pip/gitpython-3.1.37
• dependabot/pip/jinja2-3.1.3
• dependabot/pip/moto-4.1.4
• dependabot/pip/moto-4.2.10
• dependabot/pip/moto-4.2.11
• dependabot/pip/moto-4.2.5
• dependabot/pip/moto-4.2.6
• dependabot/pip/moto-4.2.7
• dependabot/pip/moto-4.2.8
• dependabot/pip/moto-4.2.9
• dependabot/pip/mypy-1.0.1
• dependabot/pip/mypy-1.1.1
• dependabot/pip/mypy-1.2.0
• dependabot/pip/pytest-7.2.2
• dependabot/pip/pytest-7.4.3
• dependabot/pip/pytest-7.4.4
• dependabot/pip/pytest-8.2.1
• dependabot/pip/pytest-8.2.2
• dependabot/pip/pytest-8.3.1
• dependabot/pip/pytest-8.3.2
• dependabot/pip/requests-2.31.0
• dependabot/pip/requests-2.32.0
• dependabot/pip/requests-2.32.2
• dependabot/pip/requests-2.32.3
• dependabot/pip/sentry-sdk-1.16.0
• dependabot/pip/sentry-sdk-1.17.0
• dependabot/pip/sentry-sdk-1.18.0
• dependabot/pip/sentry-sdk-1.19.0
• dependabot/pip/sentry-sdk-1.19.1
• dependabot/pip/sentry-sdk-1.20.0
• dependabot/pip/sentry-sdk-1.21.0
• dependabot/pip/sentry-sdk-1.21.1
• dependabot/pip/sentry-sdk-1.22.1
• dependabot/pip/sentry-sdk-1.22.2
• dependabot/pip/sentry-sdk-1.23.1
• dependabot/pip/sentry-sdk-1.24.0
• dependabot/pip/sentry-sdk-1.25.0
• dependabot/pip/sentry-sdk-1.25.1
• dependabot/pip/sentry-sdk-1.26.0
• dependabot/pip/sentry-sdk-1.27.1
• dependabot/pip/sentry-sdk-1.28.1
• dependabot/pip/sentry-sdk-1.39.1
• dependabot/pip/sentry-sdk-1.39.2
• dependabot/pip/sentry-sdk-2.10.0
• dependabot/pip/sentry-sdk-2.11.0
• dependabot/pip/sentry-sdk-2.12.0
• dependabot/pip/sentry-sdk-2.2.0
• dependabot/pip/sentry-sdk-2.3.1
• dependabot/pip/sentry-sdk-2.5.1
• dependabot/pip/sentry-sdk-2.6.0
• dependabot/pip/sentry-sdk-2.7.1
• dependabot/pip/sentry-sdk-2.8.0
• dependabot/pip/sentry-sdk-2.9.0
• dependabot/pip/setuptools-70.0.0
• dependabot/pip/types-requests-2.28.11.15
• dependabot/pip/types-requests-2.30.0.0
• dependabot/pip/types-requests-2.31.0.0
• dependabot/pip/types-requests-2.31.0.1
• dependabot/pip/types-requests-2.31.0.10
• dependabot/pip/types-requests-2.31.0.2
• dependabot/pip/types-requests-2.31.0.8
• dependabot/pip/types-requests-2.31.0.9
• dependabot/pip/urllib3-1.26.18
• dependabot/pip/urllib3-2.0.7
• dependabot/pip/urllib3-2.2.2
• dependabot/pip/werkzeug-3.0.1
• dependency-updates
• in-714-app-structure
• in-715-add-alma-functionality
• in-715-add-email-functionality
• in-715-add-polines-processing
• main
• maintenance-week-updates
• processing-date-change
• refs/heads/dependabot/pip/boto3-1.26.142
• refs/heads/dependabot/pip/boto3-stubs-1.26.142
• refs/heads/dependabot/pip/sentry-sdk-1.24.0
• refs/heads/dependabot/pip/types-requests-2.31.0.0
• refs/tags/v1.0.0
• refs/tags/v1.0.1
• refs/tags/v1.0.2
• refs/tags/v1.0.3
• rollback-to-py3.11
• update-readme-and-dependencies
• update-xml-template-string
• v1.0.4
• v1.0.5
• v1.0.6

Build # 14892625377

Build Type

push

github

Committed by web-flow

Commit Message

In 1255 pip audit (#275)

* Replace pipenv check with pip-audit

Why these changes are being introduced:

As of pipenv 2025.0.1 the use of `pipenv check` would throw
an error, indicating that the library `safety` was not installed.
It worked to run `pipenv check --auto-install` which would
temporarily install `safety`, but this was not ideal for multiple
reasons.

First, we anticipate potentially moving away from `pipenv`.

Second, it appears that `safety` is moving to a pay / subscription
model.

Third, it remains a little obfuscated what `pipenv check` is actually
doing.

As this new situation affects all builds in Github Actions CI,
we need a way to scan for vulnerabilities that ideally is not
a massive overhaul of our vulnerability scanning approach.

How this addresses that need:

`pip-audit` is a nice standalone, open-source library that
performs very similar work to `safety`.

This commit replaces `pipenv check` (which was `safety` under
the hood) with `pip-audit`.

Side effects of this change:
* Builds will be successful in Github Actions

Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/IN-1255

* Update Pipfile.lock

Run Details

1 of 1 new or added line in 1 file covered. (100.0%)

206 of 206 relevant lines covered (100.0%)

1.0 hits per line