Skip to content

chore(deps): bump soupsieve from 2.8.3 to 2.8.4 #112

chore(deps): bump soupsieve from 2.8.3 to 2.8.4

chore(deps): bump soupsieve from 2.8.3 to 2.8.4 #112

# Security audit on dependencies: known vulnerabilities in Python packages
# https://pip.pypa.io/en/stable/user_guide/#using-pip-audit
# Runs only when dependency files are touched (+ weekly schedule)
name: Security audit (dependencies)
on:
push:
branches: ["**"]
paths:
- "pyproject.toml"
- "poetry.lock"
- "setup.py"
- "setup.cfg"
- "requirements*.txt"
- "constraints*.txt"
- ".github/workflows/security-dependencies.yml"
pull_request:
branches: ["**"]
paths:
- "pyproject.toml"
- "poetry.lock"
- "setup.py"
- "setup.cfg"
- "requirements*.txt"
- "constraints*.txt"
- ".github/workflows/security-dependencies.yml"
schedule:
- cron: '0 0 * * 1'
jobs:
skip_check:
name: Skip duplicate runs
runs-on: ubuntu-latest
outputs:
should_skip: ${{ steps.skip.outputs.should_skip }}
steps:
- id: skip
uses: fkirc/skip-duplicate-actions@v5
with:
concurrent_skipping: "same_content_newer"
skip_after_successful_duplicate: "true"
do_not_skip: '["workflow_dispatch", "schedule", "merge_group"]'
pip-audit:
needs: skip_check
if: needs.skip_check.outputs.should_skip != 'true'
name: pip-audit
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install dependencies
run: |
python -m pip install --upgrade "pip>=26.0"
pip install .
- name: Install pip-audit
run: |
pip install pip-audit
- name: Run pip-audit
run: |
echo ""
echo "##############################################################################"
echo "# ⚠️ WARNING: CVE-2024-23342 (ecdsa) IS WHITELISTED IN THIS AUDIT ⚠️ #"
echo "# ecdsa Minerva timing side-channel has NO upstream fix. #"
echo "# python-ecdsa considers side-channel attacks out of scope. #"
echo "# Whitelisted per pymdoccbor documentation — risk is accepted. #"
echo "##############################################################################"
echo ""
pip-audit . --ignore-vuln CVE-2024-23342
# Optional: OSSF Scorecard for supply-chain security (repo-level)
# Scorecard only supports the default branch (e.g. main)
scorecard:
needs: skip_check
if: needs.skip_check.outputs.should_skip != 'true' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
name: OpenSSF Scorecard
runs-on: ubuntu-latest
permissions:
security-events: read
id-token: write
actions: read
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run OpenSSF Scorecard
uses: ossf/scorecard-action@v2.4.3
with:
results_file: scorecard-results.json
results_format: json
publish_results: true