Homebrew (Legacy)

This repository was deprecated and split into two repositories:

Homebrew formulae/packages: Homebrew/homebrew-core (former contents of Library/Formula)
Homebrew package manager: Homebrew/brew

brew-pip-audit's People

Contributors

Stargazers

Watchers

brew-pip-audit's Issues

Failing to generate any PRs

https://github.com/Homebrew/brew-pip-audit/actions/runs/7985826380

@woodruffw at one point we talked about adding more debug info when this happens

Actions job can't push to main due to protected branch

https://github.com/Homebrew/brew-pip-audit/actions/runs/3581386277/jobs/6024385118

Consider switching back to `pip-audit`

We switched to osv-scanner because of a significant performance regression in pip-audit. That regression has now been fixed with the 2.6.0 release, so we should consider switching back.

Low priority since the performance of osv-scanner is probably good enough, and the data quality should be similar.

Burn down skips in generate-prs.rb

https://github.com/Homebrew/brew-pip-audit/blob/main/generate-prs.rb#L12

Some of these are due to packaging issues in the upstreams, and some are due to our own limitations.

If a dependency doesn't have any vulnerabilities, remove it from the results

Right now we include the entire dependency tree in each formula's pip-audit JSON summary, which makes it hard to visually scan for vulnerabilities. Instead, we should reduce the JSON output down to just those dependencies that actually have vulnerabilities.

Figure out a way to update only the vulnerable deps

We currently bump all resources just to get at a single vulnerable dependency, which (1) produces large diffs and (2) introduces risks of breakage, both in CI and in built bottles.

We should really only bump the vulnerable dep. Maybe we can do that by using constraints files?

Attempt to auto-send PRs to brew

Ideally for any formula that we identify vulnerabilities in we'd:

Bump dependencies (brew update-python-resources)
Verify that this fixes vulnerabilities
~~Bump revision~~
Send a PR to homebrew

This would significantly reduce the burdens of keeping the ecosystem secure

Debug all the formula for which `update_python_resources!` fails

PR automation: follow-ups

Some things we should do:

Bump the revision as well, so that auto-bumped formulae are automatically pushed to users who brew upgrade (#44);
Issue PRs in alphabetical order, so that we have a rough idea of how much progress the automation has made;
Look into throttling the PR automation when triggered periodically to avoid spamming the homebrew-core maintainers.
Look into replacing pipgrip within Homebrew for dep upgrades, since it uses Poetry's resolver and is slow/does different resolutions than pip
- Homebrew/brew#15307
Don't send a PR if it doesn't actually fix a vulnerability. This happens when version constraints don't allow upgrading the vulnerable dep, but there are other packages to be updated (example: Homebrew/homebrew-core#122902).
Include the list of fixed vulnerabilities in the PR message.

Remove existing audit results if all vulnerabilities fixed

It used to be the case that a previous .audit.json file was removed if all vulnerabilities were fixed. That seems to have gotten lost in the re-write. It should be restored.