fix(ci): stop pip-audit --strict failing Security on the editable self-install#89
Conversation
…ailing Security on main pip-audit --strict fails on any dependency it cannot audit, and an editable self-install (pip install -e .) can never be audited — it errors even with --skip-editable. Dropping --strict keeps the enforced behaviour we actually want: pip-audit still exits non-zero on any real dependency vulnerability, but no longer fails on the un-auditable local package. Fixes the Security workflow red on main after #86.
|
Warning Review limit reached
More reviews will be available in 57 minutes and 10 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
Note
|
Deploying attestix with
|
| Latest commit: |
c3a8505
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://2b68df9c.attestix.pages.dev |
| Branch Preview URL: | https://fix-pip-audit-strict.attestix.pages.dev |
Security went red on main after #86 with
ERROR: attestix: distribution marked as editable.--strictfails on any un-auditable dependency, and an editable self-install can never be audited (errors even with--skip-editable). Dropping--strictkeeps enforcement of real dependency vulns (pip-audit still exits non-zero on actual CVEs) without failing on the local package. No real vulnerabilities were present.