This repository was deprecated and split into two repositories:
- Homebrew formulae/packages: Homebrew/homebrew-core (former contents of
Library/Formula
) - Homebrew package manager: Homebrew/brew
:clipboard: Bulk auditing Python dependencies in Homebrew with pip-audit
License: BSD 2-Clause "Simplified" License
This repository was deprecated and split into two repositories:
Library/Formula
)https://github.com/Homebrew/brew-pip-audit/actions/runs/7985826380
@woodruffw at one point we talked about adding more debug info when this happens
We switched to osv-scanner
because of a significant performance regression in pip-audit
. That regression has now been fixed with the 2.6.0 release, so we should consider switching back.
Low priority since the performance of osv-scanner
is probably good enough, and the data quality should be similar.
https://github.com/Homebrew/brew-pip-audit/blob/main/generate-prs.rb#L12
Some of these are due to packaging issues in the upstreams, and some are due to our own limitations.
Right now we include the entire dependency tree in each formula's pip-audit
JSON summary, which makes it hard to visually scan for vulnerabilities. Instead, we should reduce the JSON output down to just those dependencies that actually have vulnerabilities.
We currently bump all resources just to get at a single vulnerable dependency, which (1) produces large diffs and (2) introduces risks of breakage, both in CI and in built bottles.
We should really only bump the vulnerable dep. Maybe we can do that by using constraints files?
Ideally for any formula that we identify vulnerabilities in we'd:
brew update-python-resources
)This would significantly reduce the burdens of keeping the ecosystem secure
alot
ansible
bbot
buku
certbot
certsync
charm-tools
libplacebo
litani
magic-wormhole
mavsdk
mvt
onlykey-agent
openai-whisper
pdfalyzer
pocsuite3
psutils
scoutsuite
sickchill
slither-analyzer
snapcraft
terminator
tern
textract
torchvision
trezor-agent
Some things we should do:
revision
as well, so that auto-bumped formulae are automatically pushed to users who brew upgrade
(#44);homebrew-core
maintainers.pipgrip
within Homebrew for dep upgrades, since it uses Poetry's resolver and is slow/does different resolutions than pip
It used to be the case that a previous .audit.json
file was removed if all vulnerabilities were fixed. That seems to have gotten lost in the re-write. It should be restored.
We should auto-label our PRs as python
, pip-audit
, and maybe a few other things.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.