Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ci:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0
rev: v6.0.0 # v6.0.0
hooks:
- id: check-json
types: [file] # override `types: [json]`
Expand All @@ -24,33 +24,33 @@ repos:
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/tox-dev/pyproject-fmt
rev: 0c8c15d8fe996493035be407c5cf4a288cf6bf8e # v2.25.1
rev: v2.25.1 # v2.25.1
hooks:
- id: pyproject-fmt
- repo: https://github.com/abravalheri/validate-pyproject
rev: 4b2e70d08cb2ccd26d1fba73588de41c7a5d50b7 # v0.25
rev: v0.25 # v0.25
hooks:
- id: validate-pyproject
- repo: https://github.com/astral-sh/ruff-pre-commit
rev: c59bba8fb259db0fec2bbb77ad8ba51ea7341b56 # v0.15.20
rev: v0.15.20 # v0.15.20
hooks:
- id: ruff-check
args: [--fix, --exit-non-zero-on-fix]
- id: ruff-format
- repo: https://github.com/sphinx-contrib/sphinx-lint
rev: c883505f64b59c3c5c9375191e4ad9f98e727ccd # v1.0.2
rev: v1.0.2 # v1.0.2
hooks:
- id: sphinx-lint
types: [rst]
- repo: https://github.com/adamchainz/blacken-docs
rev: fda77690955e9b63c6687d8806bafd56a526e45f # 1.20.0
rev: 1.20.0 # 1.20.0
hooks:
- id: blacken-docs
args: [--line-length=79]
additional_dependencies:
- black
- repo: https://github.com/codespell-project/codespell
rev: 2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a # v2.4.2
rev: v2.4.2 # v2.4.2
hooks:
- id: codespell
args: [--toml pyproject.toml]
10 changes: 5 additions & 5 deletions docs/data-processing/serialisation-formats/toml/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@ line-length = 79

[tool.isort]
atomic = true
force_grid_wrap = 0
multi_line_output = 3
use_parentheses = true
include_trailing_comma = true
force_grid_wrap = 0
lines_after_imports = 2
lines_between_types = 1
multi_line_output = 3
not_skip = "__init__.py"
use_parentheses = true
known_first_party = [ "MY_FIRST_MODULE", "MY_SECOND_MODULE" ]
known_third_party = [ "mpi4py", "numpy", "requests" ]
known_first_party = [ "MY_FIRST_MODULE", "MY_SECOND_MODULE" ]
not_skip = "__init__.py"
3 changes: 3 additions & 0 deletions docs/productive/git/advanced/hooks/scripts.rst
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,9 @@ Linters and formatters
`prettier <https://github.com/pre-commit/mirrors-prettier>`_
provides `prettier <https://github.com/prettier/prettier>`__

`ruff-pre-commit <https://github.com/astral-sh/ruff-pre-commit>`_
pre-commit-Hook für :doc:`../../../qa/ruff`

`black <https://github.com/psf/black>`_
for formatting Python code

Expand Down
74 changes: 62 additions & 12 deletions docs/productive/security.rst
Original file line number Diff line number Diff line change
Expand Up @@ -29,26 +29,76 @@ This check determines whether the project has open, unfixed vulnerabilities in
its own code base or in its dependencies. An open vulnerability can be easily
exploited and should be closed as soon as possible.

For such a check, you can use for example `uv-secure
<https://pypi.org/project/uv-secure/>`_. Alternatively, you can use `osv
<https://pypi.org/project/osv/>`_ or `pip-audit
<https://pypi.org/project/pip-audit/>`_, which uses the `Open Source
Vulnerability Database <https://osv.dev>`_.
For such a check, you can use for example ``uv audit`` Alternatively, you can
use `osv <https://pypi.org/project/osv/>`_ or `pip-audit
<https://pypi.org/project/pip-audit/>`_.

``uv audit`` is a new command introduced in uv≥0.11.19 that checks the
dependencies in your project for known vulnerabilities in the `OSV
<https://osv.dev>`_ database and ‘undesirable’ project statuses, such as
*deprecated*:

.. code-block:: console

$ uv audit
warning: `uv audit` is experimental and may change without warning. Pass `--preview-features audit-command` to disable this warning.
Resolved 115 packages in 16ms
Found 12 known vulnerabilities and no adverse project statuses in 114 packages

Vulnerabilities:

idna 3.12 has 1 known vulnerability:
- GHSA-65pc-fj4g-8rjx: Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
Fixed in: 3.15
Advisory information: https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx

``uv add``, ``uv sync``, and so on can now be run during every synchronisation
process to check for previously identified malware. This feature is not enabled
by default, but it can be easily enabled by setting ``UV_MALWARE_CHECK=1`` in
the shell.

.. seealso::
* `uv audit <https://docs.astral.sh/uv/reference/cli/#uv-audit>`_
* `uv audit settings <https://docs.astral.sh/uv/reference/settings/#audit>`_

If a vulnerability is found in a dependency, you should update to a
non-vulnerable version; if no update is available, you should consider removing
the dependency.

If you believe that the vulnerability does not affect your project, an
:file:`osv-scanner.toml` file can be created for ``osv``, including the ID to
ignore and a reason, for example:
If you believe that the security vulnerability does not affect your project, you
can define exceptions for ``uv audit`` in the :file:`pyproject.toml` file, for
example:

.. code-block:: toml
:caption: pyproject.toml

[tool.uv.audit]
ignore = ["PYSEC-2022-43017", "GHSA-5239-wwwm-4pmq"]

or better still:

.. code-block:: toml
:caption: pyproject.toml

[tool.uv.audit]
ignore-until-fixed = ["PYSEC-2022-43017"]

.. seealso::
* `ignore <https://docs.astral.sh/uv/reference/settings/#audit_ignore>`_
* `ignore-until-fixed
<https://docs.astral.sh/uv/reference/settings/#audit_ignore-until-fixed>`_

You can also add the vulnerability analysis using ``uv-audit`` to your
:doc:`pre-commit <git/advanced/hooks/pre-commit>` checks:

.. code-block:: yaml

[[IgnoredVulns]]
id = "GO-2022-1059"
# ignoreUntil = 2022-11-09 # Optional exception expiry date
reason = "No external http servers are written in Go lang."
- repo: https://github.com/astral-sh/uv-pre-commit
rev: 73c2d77a42a113aee9e4b748c24937f09557b82d # 0.11.24
hooks:
- id: uv-audit
files: ^(uv\.lock|pyproject\.toml)$

Maintenance
-----------
Expand Down
Loading