From df343396a4e6585fe4c17f0fa814b96e05bc61e4 Mon Sep 17 00:00:00 2001 From: Ethan Paul <24588726+enpaul@users.noreply.github.com> Date: Fri, 16 Aug 2024 13:26:12 -0400 Subject: [PATCH] Remove safety dependency vulnerability scanner I went back and fourth on this, but ultimately decided that it's more trouble than it's worth. Between false positives, deeply nested packages raising vulnerabilities, and the brittleness of the poetry-plugin-export that the tooling relies on, it causes more headaches than it avoids. A future PR will enable dependabot tooling that will open PRs to automatically fix this problem so I don't have to deal with it anymore (hopefully) --- poetry.lock | 60 +------------------------------------------------- pyproject.toml | 1 - tox.ini | 10 --------- 3 files changed, 1 insertion(+), 70 deletions(-) diff --git a/poetry.lock b/poetry.lock index 8a6618f..8b92059 100644 --- a/poetry.lock +++ b/poetry.lock @@ -673,25 +673,6 @@ files = [ {file = "distlib-0.3.8.tar.gz", hash = "sha256:1530ea13e350031b6312d8580ddb6b27a104275a31106523b8f123787f494f64"}, ] -[[package]] -name = "dparse" -version = "0.6.3" -description = "A parser for Python dependency files" -optional = false -python-versions = ">=3.6" -files = [ - {file = "dparse-0.6.3-py3-none-any.whl", hash = "sha256:0d8fe18714056ca632d98b24fbfc4e9791d4e47065285ab486182288813a5318"}, - {file = "dparse-0.6.3.tar.gz", hash = "sha256:27bb8b4bcaefec3997697ba3f6e06b2447200ba273c0b085c3d012a04571b528"}, -] - -[package.dependencies] -packaging = "*" -tomli = {version = "*", markers = "python_version < \"3.11\""} - -[package.extras] -conda = ["pyyaml"] -pipenv = ["pipenv (<=2022.12.19)"] - [[package]] name = "dulwich" version = "0.21.7" @@ -2205,29 +2186,6 @@ files = [ {file = "ruamel.yaml.clib-0.2.8.tar.gz", hash = "sha256:beb2e0404003de9a4cab9753a8805a8fe9320ee6673136ed7f04255fe60bb512"}, ] -[[package]] -name = "safety" -version = "2.3.4" -description = "Checks installed dependencies for known vulnerabilities and licenses." -optional = false -python-versions = "*" -files = [ - {file = "safety-2.3.4-py3-none-any.whl", hash = "sha256:6224dcd9b20986a2b2c5e7acfdfba6bca42bb11b2783b24ed04f32317e5167ea"}, - {file = "safety-2.3.4.tar.gz", hash = "sha256:b9e74e794e82f54d11f4091c5d820c4d2d81de9f953bf0b4f33ac8bc402ae72c"}, -] - -[package.dependencies] -Click = ">=8.0.2" -dparse = ">=0.6.2" -packaging = ">=21.0" -requests = "*" -"ruamel.yaml" = ">=0.17.21" -setuptools = ">=19.3" - -[package.extras] -github = ["jinja2 (>=3.1.0)", "pygithub (>=1.43.3)"] -gitlab = ["python-gitlab (>=1.3.0)"] - [[package]] name = "secretstorage" version = "3.3.3" @@ -2243,22 +2201,6 @@ files = [ cryptography = ">=2.0" jeepney = ">=0.6" -[[package]] -name = "setuptools" -version = "72.2.0" -description = "Easily download, build, install, upgrade, and uninstall Python packages" -optional = false -python-versions = ">=3.8" -files = [ - {file = "setuptools-72.2.0-py3-none-any.whl", hash = "sha256:f11dd94b7bae3a156a95ec151f24e4637fb4fa19c878e4d191bfb8b2d82728c4"}, - {file = "setuptools-72.2.0.tar.gz", hash = "sha256:80aacbf633704e9c8bfa1d99fa5dd4dc59573efcf9e4042c13d3bcef91ac2ef9"}, -] - -[package.extras] -core = ["importlib-metadata (>=6)", "importlib-resources (>=5.10.2)", "jaraco.text (>=3.7)", "more-itertools (>=8.8)", "ordered-set (>=3.1.1)", "packaging (>=24)", "platformdirs (>=2.6.2)", "tomli (>=2.0.1)", "wheel (>=0.43.0)"] -doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "pyproject-hooks (!=1.1)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier", "towncrier (<24.7)"] -test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "importlib-metadata", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "jaraco.test", "mypy (==1.11.*)", "packaging (>=23.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy", "pytest-perf", "pytest-ruff (<0.4)", "pytest-ruff (>=0.2.1)", "pytest-ruff (>=0.3.2)", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"] - [[package]] name = "shellingham" version = "1.5.4" @@ -2678,4 +2620,4 @@ testing = ["big-O", "flake8 (<5)", "jaraco.functools", "jaraco.itertools", "more [metadata] lock-version = "2.0" python-versions = "^3.7" -content-hash = "2db35ecc0a664819e9a6e162062bb0ec0a7673370a29357766aad873441e9358" +content-hash = "56d0abc08c141d404c8dcc5ecf669b54fb49d85463abf3e74de36604b7a31b21" diff --git a/pyproject.toml b/pyproject.toml index 4a5aeb8..a56f645 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -55,7 +55,6 @@ pylint = {version = "^2.13.0", python = "^3.10"} pytest = {version = "^6.0.2", python = "^3.10"} pytest-cov = {version = "^2.10.1", python = "^3.10"} reorder-python-imports = {version = "^2.3.5", python = "^3.10"} -safety = {version = "^2.2.0", python = "^3.10"} toml = {version = "^0.10.1", python = "^3.10"} tox = "^4.1" types-toml = {version = "^0.10.1", python = "^3.10"} diff --git a/tox.ini b/tox.ini index 7f46b74..1a5cfe5 100644 --- a/tox.ini +++ b/tox.ini @@ -76,13 +76,3 @@ commands = --recursive \ --quiet \ --skip B101 - poetry export \ - --format requirements.txt \ - --output {envtmpdir}/requirements.txt \ - --without-hashes \ - --with dev - safety check \ - --file {envtmpdir}/requirements.txt \ - --output text \ - # https://github.com/pytest-dev/py/issues/287 - --ignore 51457