MITLibraries / archival-packaging-tool

54%

main: 96%

LAST BUILD ON BRANCH IN-1238-use-pip-audit

branch: IN-1238-use-pip-audit

CHANGE BRANCH

x

Reset

Sync Branches

• IN-1238-use-pip-audit
• ETD-669-remove-default-contact-name
• IN-1192-scaffold-repository
• IN-1214-core-bagitarchive-class
• IN-1215-create-bag-action-and-class-design
• IN-1215-wire-lambda-handler
• IN-1219-lamdda-request-response-specs
• IN-1230-use-efs-mount
• IN-1294-s3-efs-read-write-performance
• bug-extra-bag-zipfile
• dependabot/pip/black-25.1.0
• dependabot/pip/boto3-1.38.11
• dependabot/pip/boto3-1.38.12
• dependabot/pip/boto3-1.38.13
• dependabot/pip/boto3-1.38.14
• dependabot/pip/boto3-1.38.15
• dependabot/pip/boto3-1.38.16
• dependabot/pip/boto3-1.38.17
• dependabot/pip/boto3-1.38.18
• dependabot/pip/boto3-1.38.19
• dependabot/pip/boto3-1.38.20
• dependabot/pip/boto3-1.38.21
• dependabot/pip/boto3-1.38.22
• dependabot/pip/boto3-1.38.23
• dependabot/pip/boto3-1.38.24
• dependabot/pip/boto3-1.38.25
• dependabot/pip/boto3-1.38.26
• dependabot/pip/boto3-1.38.27
• dependabot/pip/boto3-1.38.28
• dependabot/pip/boto3-1.38.29
• dependabot/pip/boto3-1.38.30
• dependabot/pip/boto3-1.38.31
• dependabot/pip/boto3-1.38.32
• dependabot/pip/boto3-1.38.33
• dependabot/pip/boto3-1.38.34
• dependabot/pip/boto3-1.38.35
• dependabot/pip/boto3-1.38.36
• dependabot/pip/boto3-1.38.37
• dependabot/pip/boto3-1.38.38
• dependabot/pip/boto3-1.38.39
• dependabot/pip/boto3-1.38.40
• dependabot/pip/boto3-1.38.41
• dependabot/pip/boto3-1.38.42
• dependabot/pip/boto3-1.38.43
• dependabot/pip/boto3-1.38.44
• dependabot/pip/boto3-1.38.45
• dependabot/pip/boto3-1.38.46
• dependabot/pip/boto3-1.39.0
• dependabot/pip/boto3-1.39.1
• dependabot/pip/boto3-1.39.10
• dependabot/pip/boto3-1.39.11
• dependabot/pip/boto3-1.39.12
• dependabot/pip/boto3-1.39.13
• dependabot/pip/boto3-1.39.15
• dependabot/pip/boto3-1.39.16
• dependabot/pip/boto3-1.39.17
• dependabot/pip/boto3-1.39.2
• dependabot/pip/boto3-1.39.3
• dependabot/pip/boto3-1.39.4
• dependabot/pip/boto3-1.39.6
• dependabot/pip/boto3-1.39.7
• dependabot/pip/boto3-1.39.8
• dependabot/pip/boto3-1.39.9
• dependabot/pip/boto3-1.40.0
• dependabot/pip/boto3-1.40.1
• dependabot/pip/boto3-1.40.10
• dependabot/pip/boto3-1.40.11
• dependabot/pip/boto3-1.40.12
• dependabot/pip/boto3-1.40.13
• dependabot/pip/boto3-1.40.14
• dependabot/pip/boto3-1.40.15
• dependabot/pip/boto3-1.40.16
• dependabot/pip/boto3-1.40.17
• dependabot/pip/boto3-1.40.18
• dependabot/pip/boto3-1.40.19
• dependabot/pip/boto3-1.40.2
• dependabot/pip/boto3-1.40.20
• dependabot/pip/boto3-1.40.21
• dependabot/pip/boto3-1.40.22
• dependabot/pip/boto3-1.40.24
• dependabot/pip/boto3-1.40.25
• dependabot/pip/boto3-1.40.26
• dependabot/pip/boto3-1.40.27
• dependabot/pip/boto3-1.40.28
• dependabot/pip/boto3-1.40.29
• dependabot/pip/boto3-1.40.3
• dependabot/pip/boto3-1.40.30
• dependabot/pip/boto3-1.40.31
• dependabot/pip/boto3-1.40.32
• dependabot/pip/boto3-1.40.33
• dependabot/pip/boto3-1.40.34
• dependabot/pip/boto3-1.40.35
• dependabot/pip/boto3-1.40.37
• dependabot/pip/boto3-1.40.38
• dependabot/pip/boto3-1.40.39
• dependabot/pip/boto3-1.40.4
• dependabot/pip/boto3-1.40.40
• dependabot/pip/boto3-1.40.41
• dependabot/pip/boto3-1.40.42
• dependabot/pip/boto3-1.40.43
• dependabot/pip/boto3-1.40.44
• dependabot/pip/boto3-1.40.45
• dependabot/pip/boto3-1.40.47
• dependabot/pip/boto3-1.40.48
• dependabot/pip/boto3-1.40.49
• dependabot/pip/boto3-1.40.5
• dependabot/pip/boto3-1.40.50
• dependabot/pip/boto3-1.40.51
• dependabot/pip/boto3-1.40.52
• dependabot/pip/boto3-1.40.53
• dependabot/pip/boto3-1.40.54
• dependabot/pip/boto3-1.40.55
• dependabot/pip/boto3-1.40.56
• dependabot/pip/boto3-1.40.57
• dependabot/pip/boto3-1.40.59
• dependabot/pip/boto3-1.40.6
• dependabot/pip/boto3-1.40.60
• dependabot/pip/boto3-1.40.61
• dependabot/pip/boto3-1.40.7
• dependabot/pip/boto3-1.40.8
• dependabot/pip/boto3-1.40.9
• dependabot/pip/boto3-stubs-1.38.16
• dependabot/pip/boto3-stubs-1.38.17
• dependabot/pip/boto3-stubs-1.38.18
• dependabot/pip/boto3-stubs-1.38.19
• dependabot/pip/boto3-stubs-1.38.20
• dependabot/pip/boto3-stubs-1.38.21
• dependabot/pip/boto3-stubs-1.38.22
• dependabot/pip/boto3-stubs-1.38.23
• dependabot/pip/boto3-stubs-1.38.24
• dependabot/pip/boto3-stubs-1.38.25
• dependabot/pip/boto3-stubs-1.38.26
• dependabot/pip/boto3-stubs-1.38.27
• dependabot/pip/boto3-stubs-1.38.28
• dependabot/pip/boto3-stubs-1.38.29
• dependabot/pip/boto3-stubs-1.38.30
• dependabot/pip/boto3-stubs-1.38.31
• dependabot/pip/boto3-stubs-1.38.32
• dependabot/pip/boto3-stubs-1.38.33
• dependabot/pip/boto3-stubs-1.38.34
• dependabot/pip/boto3-stubs-1.38.35
• dependabot/pip/boto3-stubs-1.38.36
• dependabot/pip/boto3-stubs-1.38.37
• dependabot/pip/boto3-stubs-1.38.38
• dependabot/pip/boto3-stubs-1.38.39
• dependabot/pip/boto3-stubs-1.38.40
• dependabot/pip/boto3-stubs-1.38.41
• dependabot/pip/boto3-stubs-1.38.42
• dependabot/pip/boto3-stubs-1.38.43
• dependabot/pip/boto3-stubs-1.38.44
• dependabot/pip/boto3-stubs-1.38.45
• dependabot/pip/boto3-stubs-1.38.46
• dependabot/pip/boto3-stubs-1.39.0
• dependabot/pip/boto3-stubs-1.39.1
• dependabot/pip/boto3-stubs-1.39.10
• dependabot/pip/boto3-stubs-1.39.11
• dependabot/pip/boto3-stubs-1.39.12
• dependabot/pip/boto3-stubs-1.39.13
• dependabot/pip/boto3-stubs-1.39.15
• dependabot/pip/boto3-stubs-1.39.16
• dependabot/pip/boto3-stubs-1.39.17
• dependabot/pip/boto3-stubs-1.39.2
• dependabot/pip/boto3-stubs-1.39.3
• dependabot/pip/boto3-stubs-1.39.4
• dependabot/pip/boto3-stubs-1.39.6
• dependabot/pip/boto3-stubs-1.39.7
• dependabot/pip/boto3-stubs-1.39.8
• dependabot/pip/boto3-stubs-1.39.9
• dependabot/pip/boto3-stubs-1.40.0
• dependabot/pip/boto3-stubs-1.40.1
• dependabot/pip/boto3-stubs-1.40.10
• dependabot/pip/boto3-stubs-1.40.11
• dependabot/pip/boto3-stubs-1.40.12
• dependabot/pip/boto3-stubs-1.40.13
• dependabot/pip/boto3-stubs-1.40.14
• dependabot/pip/boto3-stubs-1.40.15
• dependabot/pip/boto3-stubs-1.40.16
• dependabot/pip/boto3-stubs-1.40.17
• dependabot/pip/boto3-stubs-1.40.18
• dependabot/pip/boto3-stubs-1.40.19
• dependabot/pip/boto3-stubs-1.40.2
• dependabot/pip/boto3-stubs-1.40.20
• dependabot/pip/boto3-stubs-1.40.21
• dependabot/pip/boto3-stubs-1.40.22
• dependabot/pip/boto3-stubs-1.40.23
• dependabot/pip/boto3-stubs-1.40.24
• dependabot/pip/boto3-stubs-1.40.25
• dependabot/pip/boto3-stubs-1.40.26
• dependabot/pip/boto3-stubs-1.40.27
• dependabot/pip/boto3-stubs-1.40.28
• dependabot/pip/boto3-stubs-1.40.29
• dependabot/pip/boto3-stubs-1.40.3
• dependabot/pip/boto3-stubs-1.40.30
• dependabot/pip/boto3-stubs-1.40.31
• dependabot/pip/boto3-stubs-1.40.32
• dependabot/pip/boto3-stubs-1.40.33
• dependabot/pip/boto3-stubs-1.40.34
• dependabot/pip/boto3-stubs-1.40.35
• dependabot/pip/boto3-stubs-1.40.36
• dependabot/pip/boto3-stubs-1.40.37
• dependabot/pip/boto3-stubs-1.40.38
• dependabot/pip/boto3-stubs-1.40.39
• dependabot/pip/boto3-stubs-1.40.4
• dependabot/pip/boto3-stubs-1.40.40
• dependabot/pip/boto3-stubs-1.40.41
• dependabot/pip/boto3-stubs-1.40.42
• dependabot/pip/boto3-stubs-1.40.43
• dependabot/pip/boto3-stubs-1.40.44
• dependabot/pip/boto3-stubs-1.40.45
• dependabot/pip/boto3-stubs-1.40.47
• dependabot/pip/boto3-stubs-1.40.48
• dependabot/pip/boto3-stubs-1.40.5
• dependabot/pip/boto3-stubs-1.40.50
• dependabot/pip/boto3-stubs-1.40.51
• dependabot/pip/boto3-stubs-1.40.52
• dependabot/pip/boto3-stubs-1.40.53
• dependabot/pip/boto3-stubs-1.40.54
• dependabot/pip/boto3-stubs-1.40.55
• dependabot/pip/boto3-stubs-1.40.56
• dependabot/pip/boto3-stubs-1.40.57
• dependabot/pip/boto3-stubs-1.40.58
• dependabot/pip/boto3-stubs-1.40.59
• dependabot/pip/boto3-stubs-1.40.6
• dependabot/pip/boto3-stubs-1.40.60
• dependabot/pip/boto3-stubs-1.40.61
• dependabot/pip/boto3-stubs-1.40.8
• dependabot/pip/boto3-stubs-1.40.9
• dependabot/pip/ipython-9.2.0
• dependabot/pip/mypy-1.15.0
• dependabot/pip/pip-25.2
• dependabot/pip/pre-commit-4.2.0
• dependabot/pip/requests-2.32.4
• dependabot/pip/ruff-0.11.10
• dependabot/pip/ruff-0.11.11
• dependabot/pip/ruff-0.11.12
• dependabot/pip/ruff-0.11.13
• dependabot/pip/ruff-0.11.3
• dependabot/pip/ruff-0.11.4
• dependabot/pip/ruff-0.11.5
• dependabot/pip/ruff-0.11.6
• dependabot/pip/ruff-0.11.7
• dependabot/pip/ruff-0.11.8
• dependabot/pip/ruff-0.11.9
• dependabot/pip/ruff-0.12.0
• dependabot/pip/ruff-0.12.1
• dependabot/pip/ruff-0.12.10
• dependabot/pip/ruff-0.12.11
• dependabot/pip/ruff-0.12.12
• dependabot/pip/ruff-0.12.2
• dependabot/pip/ruff-0.12.3
• dependabot/pip/ruff-0.12.4
• dependabot/pip/ruff-0.12.5
• dependabot/pip/ruff-0.12.7
• dependabot/pip/ruff-0.12.8
• dependabot/pip/ruff-0.12.9
• dependabot/pip/ruff-0.13.0
• dependabot/pip/ruff-0.13.1
• dependabot/pip/ruff-0.13.2
• dependabot/pip/ruff-0.13.3
• dependabot/pip/ruff-0.14.0
• dependabot/pip/ruff-0.14.1
• dependabot/pip/ruff-0.14.2
• dependabot/pip/sentry-sdk-2.25.1
• dependabot/pip/sentry-sdk-2.26.0
• dependabot/pip/sentry-sdk-2.26.1
• dependabot/pip/sentry-sdk-2.27.0
• dependabot/pip/sentry-sdk-2.28.0
• dependabot/pip/setuptools-80.4.0
• dependabot/pip/setuptools-80.7.1
• dependabot/pip/setuptools-80.8.0
• dependabot/pip/setuptools-80.9.0
• dependabot/pip/types-jsonschema-4.23.0.20250516
• dependabot/pip/types-jsonschema-4.24.0.20250528
• dependabot/pip/types-jsonschema-4.24.0.20250708
• dependabot/pip/types-jsonschema-4.25.0.20250720
• dependabot/pip/types-jsonschema-4.25.0.20250809
• dependabot/pip/types-jsonschema-4.25.1.20250821
• dependabot/pip/types-jsonschema-4.25.1.20250822
• dependabot/pip/types-jsonschema-4.25.1.20251008
• dependabot/pip/types-jsonschema-4.25.1.20251009
• dependabot/pip/urllib3-2.5.0
• deployment-automation
• main
• pipenv-check-safety-auto-install
• v1.0
• v1.1

Build # 14802535657

Build Type

Pull #19

github

Committed by ghukill

Commit Message

Replace pipenv check (safety) with pip-audit

Why these changes are being introduced:

As of pipenv 2025.0.1 the use of `pipenv check` would throw
an error, indicating that the library `safety` was not installed.
It worked to run `pipenv check --auto-install` which would
temporarily install `safety`, but this was not ideal for multiple
reasons.

First, we anticipate potentially moving away from `pipenv`.

Second, it appears that `safety` is moving to a pay / subscription
model.

Third, it remains a little obfuscated what `pipenv check` is actually
doing.

As this new situation affects all builds in Github Actions CI,
we need a way to scan for vulnerabilities that ideally is not
a massive overhaul of our vulnerability scanning approach.

How this addresses that need:

`pip-audit` is a nice standalone, open-source library that
performs very similar work to `safety`.

This commit replaces `pipenv check` (which was `safety` under
the hood) with `pip-audit`.

Side effects of this change:
* Builds will be successful in Github Actions

Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/IN-1238

Pull Request Pull Request #19: IN-1238 - Replace pipenv check (safety) with pip-audit

Run Details

35 of 65 relevant lines covered (53.85%)

0.54 hits per line