Skip to content

feat(audit): dogfood the pip-audit dependency-audit gate on the maintainer repo#8

Merged
maybebyte merged 4 commits into
mainfrom
chore/dogfood-dependency-audit
Jul 7, 2026
Merged

feat(audit): dogfood the pip-audit dependency-audit gate on the maintainer repo#8
maybebyte merged 4 commits into
mainfrom
chore/dogfood-dependency-audit

Conversation

@maybebyte

Copy link
Copy Markdown
Owner

Summary

Dogfood the dependency-audit gate the template ships (roadmap gap #5): the maintainer repo now audits its own locked dependency graph with pip-audit, so it practices the guardrail it forces on every downstream.

Changes

  • just audituv export the fully-resolved lockfile, then uvx pip-audit@2.10.1 over it (.gitignore backstop for the temp export). Out-of-band (chained into no recipe), mirroring how just scan is wired.
  • CI — a pip-audit step in the existing scan job of test-template.yml (reuses the checkout + setup-uv; no new job, action, or token).
  • Docs — new ## Dependency audit section in AGENTS.md (framing + pin-sync obligation) plus the design + plan under docs/superpowers/.

Testing

  • just audit → 35 packages, no known vulnerabilities, exit 0.
  • Non-vacuity check: uv export … --no-dev yields 0 packages vs 35 without it (confirms the gate is substantive, not vacuously green).
  • Full generation matrix green (under the oldest supported Python); zizmor clean; ruff check / ruff format --check / basedpyright green.

Notes for reviewers

  • --no-dev is deliberately dropped (the template keeps it). package = false puts every dep in the dev group, so the template's --no-dev export would be empty and pass vacuously here — dropping it audits the real ~35-package graph. Documented in AGENTS.md; do not restore it.
  • pip-audit is non-hermetic (queries the OSV/PyPI advisory DB), so this gate can turn red on a newly-published CVE independent of any code change.

Related

@maybebyte maybebyte merged commit d4b0e99 into main Jul 7, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant