-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency pip-audit to ~=2.8.0 #744
Conversation
[puLL-Merge] - pypa/pip-audit@v2.7.0..v2.8.0 Diffdiff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml
new file mode 100644
index 00000000..e5bc36e9
--- /dev/null
+++ .github/ISSUE_TEMPLATE/bug-report.yml
@@ -0,0 +1,105 @@
+name: Bug report
+description: File a bug report
+title: "Bug: "
+labels:
+ - bug-candidate
+body:
+ - type: markdown
+ attributes:
+ value: |
+ Thank you for taking the time to report a potential bug in `pip-audit`!
+
+ Please read the following parts of this form carefully.
+ Invalid or incomplete submissions will be given a lower priority or
+ closed outright.
+
+ - type: checkboxes
+ attributes:
+ label: Pre-submission checks
+ description: |
+ By submitting this issue, you affirm that you've satisfied the following conditions.
+ options:
+ - label: >-
+ I am **not** filing an auditing error (false positive or negative).
+ These **must** be reported to
+ [pypa/advisory-database](https://github.com/pypa/advisory-database/issues/new) instead.
+ required: true
+ - label: >-
+ I agree to follow the [PSF Code of Conduct](https://www.python.org/psf/conduct/).
+ required: true
+ - label: >-
+ I have looked through the open issues for a duplicate report.
+ required: true
+
+ - type: textarea
+ attributes:
+ label: Expected behavior
+ description: A clear and concise description of what you expected to happen.
+ placeholder: |
+ I expected `pip-audit ...` to do X, Y, and Z.
+ validations:
+ required: true
+
+ - type: textarea
+ attributes:
+ label: Actual behavior
+ description: A clear and concise description of what actually happened.
+ placeholder: |
+ Instead of doing X, Y, and Z, `pip-audit ...` produced got the following error: ...
+ validations:
+ required: true
+
+ - type: textarea
+ attributes:
+ label: Reproduction steps
+ description: A step-by-step list of actions that we can take to reproduce the actual behavior.
+ placeholder: |
+ 1. Do this
+ 2. Do that
+ 3. Do another thing
+ validations:
+ required: true
+
+ - type: textarea
+ attributes:
+ label: Logs
+ description: |
+ If applicable, please paste any logs or console errors here.
+
+ If you can re-run the command that produced the error, run it with
+ `--verbose` and paste the full verbose logs here.
+ render: plain text
+
+ - type: textarea
+ attributes:
+ label: Additional context
+ description: Add any other additional context about the problem here.
+
+ - type: input
+ attributes:
+ label: OS name, version, and architecture
+ placeholder: Mac OS X 10.4.11 on PowerPC
+
+ - type: input
+ attributes:
+ label: pip-audit version
+ description: |
+ `pip-audit -V`
+ validations:
+ required: true
+
+ - type: input
+ attributes:
+ label: pip version
+ description: |
+ `pip -V` or `pip3 -V`
+ validations:
+ required: true
+
+ - type: input
+ attributes:
+ label: Python version
+ description: |
+ `python -V` or `python3 -V`
+ validations:
+ required: true
diff --git .github/ISSUE_TEMPLATE/bug_report.md .github/ISSUE_TEMPLATE/bug_report.md
deleted file mode 100644
index 5e16fe4d..00000000
--- .github/ISSUE_TEMPLATE/bug_report.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: ''
-labels: bug-candidate
-assignees: ''
-
----
-
-Thank you for reporting a potential bug in `pip-audit`! Please read the next parts of this template carefully:
-
-**IMPORTANT**: Please **do not** report auditing errors (false positives or negatives) to this repository. Instead, please report them to [pypa/advisory-database](https://github.com/pypa/advisory-database/issues/new).
-
-**IMPORTANT:** Please fill out every section below. Bug reports with missing information will be
-given a lower priority or closed outright.
-
-Please comment out or remove this line and everything above it from your report.
-
-## Bug description
-
-A clear and concise description of what the bug is.
-
-## Reproduction steps
-
-A step-by-step list of actions to reproduce the behavior.
-
-## Expected behavior
-
-A clear and concise description of what you expected to happen.
-
-## Screenshots and logs
-
-If applicable, add screenshots to help explain your problem.
-
-Similarly, if applicable and possible, re-run the command with `--verbose`,
-and paste the logs in the code block below:
-
-\`\`\`
-Paste logs here, or remove me if not applicable!
-```
-
-## Platform information
-
-* OS name and version:
-* `pip-audit` version (`pip-audit -V`):
-* Python version (`python -V` or `python3 -V`):
-* `pip` version (`pip -V` or `pip3 -V`):
-
-## Additional context
-
-Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/feature-request.yml b/.github/ISSUE_TEMPLATE/feature-request.yml
new file mode 100644
index 00000000..10c52d6f
--- /dev/null
+++ .github/ISSUE_TEMPLATE/feature-request.yml
@@ -0,0 +1,55 @@
+name: Feature request
+description: Suggest an idea or enhancement for pip-audit
+title: "Feature: "
+labels:
+ - enhancement
+body:
+ - type: markdown
+ attributes:
+ value: |
+ Thank for for making a `pip-audit` feature request!
+
+ Please read the following parts of this form carefully.
+ Invalid or incomplete submissions will be given a lower priority or
+ closed outright.
+
+ - type: checkboxes
+ attributes:
+ label: Pre-submission checks
+ description: |
+ By submitting this issue, you affirm that you've satisfied the following conditions.
+ options:
+ - label: >-
+ I am **not** reporting a new vulnerability or requesting a new vulnerability identifier.
+ These **must** be reported or managed via upstream dependency sources or services,
+ not this repository.
+ required: true
+ - label: >-
+ I agree to follow the [PSF Code of Conduct](https://www.python.org/psf/conduct/).
+ required: true
+ - label: >-
+ I have looked through the open issues for a duplicate request.
+ required: true
+
+ - type: textarea
+ attributes:
+ label: What's the problem this feature will solve?
+ description: |
+ A clear and concise description of the problem.
+ placeholder: |
+ I'm always frustrated when ...
+ validations:
+ required: true
+
+ - type: textarea
+ attributes:
+ label: Describe the solution you'd like
+ description: A clear and concise description of what you want to happen.
+ validations:
+ required: true
+
+ - type: textarea
+ attributes:
+ label: Additional context
+ description: |
+ Any additional context, screenshots, or other material about the feature request.
diff --git .github/ISSUE_TEMPLATE/feature_request.md .github/ISSUE_TEMPLATE/feature_request.md
deleted file mode 100644
index 1a81bc7e..00000000
--- .github/ISSUE_TEMPLATE/feature_request.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: enhancement
-assignees: ''
-
----
-
-Thank you for making a `pip-audit` feature request! Please read the next parts of this template carefully:
-
-**IMPORTANT**: Please **do not** report new vulnerabilities or request new vulnerability identifiers on this repository. This tool takes vulnerability information from upstream services and is not capable of minting new vulnerability reports.
-
-**IMPORTANT:** Please fill out every section below. Feature requests with missing information will be given a lower priority or closed outright.
-
-Please comment out or remove this line and everything above it from your request.
-
-**Is your feature request related to a problem? Please describe.**
-
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-
-Add any other context or screenshots about the feature request here.
diff --git .github/workflows/ci.yml .github/workflows/ci.yml
index 16bfbb6a..053f5087 100644
--- .github/workflows/ci.yml
+++ .github/workflows/ci.yml
@@ -8,21 +8,25 @@ on:
schedule:
- cron: '0 12 * * *'
+permissions: {}
+
jobs:
test:
strategy:
matrix:
python:
- - "3.8"
- "3.9"
- "3.10"
- "3.11"
- "3.12"
+ - "3.13"
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4.1.1
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ persist-credentials: false
- - uses: actions/setup-python@v5
+ - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
with:
python-version: ${{ matrix.python }}
cache: "pip"
@@ -30,3 +34,17 @@ jobs:
- name: test
run: make test PIP_AUDIT_EXTRA=test
+
+ all-tests-pass:
+ if: always()
+
+ needs:
+ - test
+
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: check test jobs
+ uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+ with:
+ jobs: ${{ toJSON(needs) }}
diff --git .github/workflows/docs.yml .github/workflows/docs.yml
index b498ed7f..20a579d7 100644
--- .github/workflows/docs.yml
+++ .github/workflows/docs.yml
@@ -5,13 +5,17 @@ on:
branches:
- main
+permissions: {}
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4.1.1 # v3.3.0
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ persist-credentials: false
- - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+ - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
# NOTE: We use 3.10+ typing syntax via future, which pdoc only
# understands if it's actually run with Python 3.10 or newer.
@@ -26,7 +30,7 @@ jobs:
run: |
make doc
- name: upload docs artifact
- uses: actions/upload-pages-artifact@0252fc4ba7626f0298f0cf00902a25c6afc77fa8 # v3.0.0
+ uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
with:
path: ./html/
@@ -47,4 +51,4 @@ jobs:
url: ${{ steps.deployment.outputs.page_url }}
steps:
- id: deployment
- uses: actions/deploy-pages@7a9bd943aa5e5175aeb8502edcc6c1c02d398e10 # v4.0.2
+ uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
diff --git .github/workflows/lint.yml .github/workflows/lint.yml
index 004d4531..cc1a6d5a 100644
--- .github/workflows/lint.yml
+++ .github/workflows/lint.yml
@@ -6,15 +6,19 @@ on:
- main
pull_request:
+permissions: {}
+
jobs:
lint:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4.1.1
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ persist-credentials: false
- - uses: actions/setup-python@v5
+ - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
with:
- python-version: "3.8"
+ python-version: "3.9"
cache: "pip"
cache-dependency-path: pyproject.toml
@@ -24,14 +28,16 @@ jobs:
check-readme:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4.1.1
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ persist-credentials: false
- - uses: actions/setup-python@v5
+ - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
# NOTE(ww): Important: use pip-audit's minimum supported Python version
# in this check, since Python can change the `--help` rendering in
# `argparse` between major versions.
with:
- python-version: "3.8"
+ python-version: "3.9"
cache: "pip"
cache-dependency-path: pyproject.toml
diff --git .github/workflows/release.yml .github/workflows/release.yml
index d08cf0c2..7be1f9ec 100644
--- .github/workflows/release.yml
+++ .github/workflows/release.yml
@@ -13,24 +13,22 @@ jobs:
permissions:
# Used to authenticate to PyPI via OIDC.
- # Used to sign the release's artifacts with sigstore-python.
id-token: write
# Used to attach signing artifacts to the published release.
contents: write
steps:
- - uses: actions/checkout@v4.1.1
-
- - uses: actions/setup-python@v5
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
- python-version: ">= 3.8"
- cache: "pip"
- cache-dependency-path: pyproject.toml
+ persist-credentials: false
+ - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
+ with:
+ python-version-file: pyproject.toml
- name: deps
- run: python -m pip install -U setuptools build wheel
+ run: python -m pip install -U build
- name: build
run: python -m build
@@ -38,8 +36,3 @@ jobs:
- name: publish
uses: pypa/gh-action-pypi-publish@release/v1
- - name: sign
- uses: sigstore/gh-action-sigstore-python@v2.1.1
- with:
- inputs: ./dist/*.tar.gz ./dist/*.whl
- release-signing-artifacts: true
diff --git .github/workflows/scorecards.yml .github/workflows/scorecards.yml
index b3355ff7..cd3f3311 100644
--- .github/workflows/scorecards.yml
+++ .github/workflows/scorecards.yml
@@ -7,8 +7,8 @@ on:
push:
branches: [ "main" ]
-# Declare default permissions as read only.
-permissions: read-all
+# No permissions needed at top-level.
+permissions: {}
jobs:
analysis:
@@ -19,35 +19,35 @@ jobs:
security-events: write
# Used to receive a badge. (Upcoming feature)
id-token: write
-
+
steps:
- name: "Checkout code"
- uses: actions/checkout@v4.1.1 # tag=v3.0.0
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # tag=v2.3.1
+ uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
# Publish the results for public repositories to enable scorecard badges. For more details, see
- # https://github.com/ossf/scorecard-action#publishing-results.
- # For private repositories, `publish_results` will automatically be set to `false`, regardless
+ # https://github.com/ossf/scorecard-action#publishing-results.
+ # For private repositories, `publish_results` will automatically be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # tag=v3.1.3
+ uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
-
+
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # tag=v2.13.4
+ uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
with:
sarif_file: results.sarif
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 00000000..6830f8ba
--- /dev/null
+++ .github/workflows/zizmor.yml
@@ -0,0 +1,36 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+ push:
+ branches: ["main"]
+ pull_request:
+ branches: ["**"]
+
+jobs:
+ zizmor:
+ name: zizmor latest via PyPI
+ runs-on: ubuntu-latest
+ permissions:
+ security-events: write
+ # required for workflows in private repositories
+ contents: read
+ actions: read
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ with:
+ persist-credentials: false
+
+ - name: Install the latest version of uv
+ uses: astral-sh/setup-uv@v5
+
+ - name: Run zizmor 🌈
+ run: uvx zizmor --format sarif . > results.sarif
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: results.sarif
+ category: zizmor
diff --git .pre-commit-config.yaml .pre-commit-config.yaml
index f999c0d1..d44962f5 100644
--- .pre-commit-config.yaml
+++ .pre-commit-config.yaml
@@ -27,7 +27,7 @@ repos:
hooks:
- id: isort
- repo: https://github.com/pypa/pip-audit
- rev: v2.7.0
+ rev: v2.8.0
hooks:
- id: pip-audit
- repo: https://github.com/rhysd/actionlint
diff --git CHANGELOG.md CHANGELOG.md
index 598906dd..36f84ed9 100644
--- CHANGELOG.md
+++ CHANGELOG.md
@@ -8,6 +8,57 @@ All versions prior to 0.0.9 are untracked.
## [Unreleased]
+## [2.8.0]
+
+### Added
+
+* `pip-audit` now allows some CLI flags to be configured via environment
+ variables ([#755](https://github.com/pypa/pip-audit/pull/755))
+
+### Changed
+
+* The default cache locations on macOS and Linux now respect each platform's
+ caching directory idioms (e.g. XDG)
+ ([#814](https://github.com/pypa/pip-audit/pull/814))
+
+* The minimum version of Python is now 3.9
+ ([#846](https://github.com/pypa/pip-audit/pull/846))
+
+### Fixed
+
+* Auditing a fully-pinned requirements file with `--disable-pip` now allows for
+ duplicates, so long as the duplicates don't have conflicting specifier sets
+ ([#749](https://github.com/pypa/pip-audit/pull/749))
+* Fixed two sources of unnecessary resource leaks when doing file I/O
+ ([#878](https://github.com/pypa/pip-audit/pull/878))
+
+## [2.7.3]
+
+### Fixed
+
+* Improved handling of temporary files on Windows
+ ([#757](https://github.com/pypa/pip-audit/pull/757))
+
+* Fixed a subprocess deadlock on Windows
+ ([#756](https://github.com/pypa/pip-audit/pull/756))
+
+## [2.7.2]
+
+### Fixed
+
+* `pip-audit` now invokes `pip` with `--keyring-provider=subprocess`,
+ partially fixing a regression that was introduced with another authentication
+ fix in [2.6.2]. This allows the interior `pip` to use `keyring` to perform
+ third-party index authentication.
+
+## [2.7.1]
+
+### Fixed
+
+* Improved the error returned to users when their default temporary
+ directory lacks execute permissions
+ ([#737](https://github.com/pypa/pip-audit/pull/737))
+
## [2.7.0]
### Added
@@ -567,7 +618,11 @@ All versions prior to 0.0.9 are untracked.
dependency errors ([#146](https://github.com/pypa/pip-audit/pull/146))
<!-- Release URLs -->
-[Unreleased]: https://github.com/pypa/pip-audit/compare/v2.7.0...HEAD
+[Unreleased]: https://github.com/pypa/pip-audit/compare/v2.8.0...HEAD
+[2.8.0]: https://github.com/pypa/pip-audit/compare/v2.7.3...v2.8.0
+[2.7.3]: https://github.com/pypa/pip-audit/compare/v2.7.2...v2.7.3
+[2.7.2]: https://github.com/pypa/pip-audit/compare/v2.7.1...v2.7.2
+[2.7.1]: https://github.com/pypa/pip-audit/compare/v2.7.0...v2.7.1
[2.7.0]: https://github.com/pypa/pip-audit/compare/v2.6.3...v2.7.0
[2.6.3]: https://github.com/pypa/pip-audit/compare/v2.6.2...v2.6.3
[2.6.2]: https://github.com/pypa/pip-audit/compare/v2.6.1...v2.6.2
diff --git CONTRIBUTING.md CONTRIBUTING.md
index 89be92bd..7ccbc291 100644
--- CONTRIBUTING.md
+++ CONTRIBUTING.md
@@ -8,7 +8,7 @@ as well as performing common development tasks.
## Requirements
-`pip-audit`'s only development environment requirement *should* be Python 3.8
+`pip-audit`'s only development environment requirement *should* be Python 3.9
or newer. Development and testing is actively performed on macOS and Linux,
but Windows and other supported platforms that are supported by Python
should also work.
diff --git Makefile Makefile
index 9b0726fe..53bc7da9 100644
--- Makefile
+++ Makefile
@@ -57,15 +57,16 @@ $(VENV)/pyvenv.cfg: pyproject.toml
lint: $(VENV)/pyvenv.cfg
. $(VENV_BIN)/activate && \
ruff format --check $(ALL_PY_SRCS) && \
- ruff $(ALL_PY_SRCS) && \
+ ruff check $(ALL_PY_SRCS) && \
mypy $(PY_MODULE) && \
interrogate -c pyproject.toml .
.PHONY: reformat
reformat:
. $(VENV_BIN)/activate && \
- ruff --fix $(ALL_PY_SRCS) && \
+ ruff check --fix $(ALL_PY_SRCS) && \
ruff format $(ALL_PY_SRCS)
+
.PHONY: test tests
test tests: $(VENV)/pyvenv.cfg
. $(VENV_BIN)/activate && \
diff --git README.md README.md
index f9dcc65c..aa860f44 100644
--- README.md
+++ README.md
@@ -25,6 +25,7 @@ with support from Google. This is not an official Google or Trail of Bits produc
* [GitHub Actions](#github-actions)
* [`pre-commit` support](#pre-commit-support)
* [Usage](#usage)
+ * [Environment variables](#environment-variables)
* [Exit codes](#exit-codes)
* [Dry runs](#dry-runs)
* [Examples](#examples)
@@ -50,7 +51,7 @@ with support from Google. This is not an official Google or Trail of Bits produc
## Installation
-`pip-audit` requires Python 3.8 or newer, and can be installed directly via `pip`:
+`pip-audit` requires Python 3.9 or newer, and can be installed directly via `pip`:
```bash
python -m pip install pip-audit
@@ -106,7 +107,7 @@ For example, using `pip-audit` via `pre-commit` to audit a requirements file:
```yaml
- repo: https://github.com/pypa/pip-audit
- rev: v2.7.0
+ rev: v2.8.0
hooks:
- id: pip-audit
args: ["-r", "requirements.txt"]
@@ -218,6 +219,20 @@ optional arguments: +### Environment variables Exit codesOn completion,
Here's my review of the PR: DescriptionThis PR includes several significant changes to
Possible Issues
Security Hotspots
ChangesChangesBy filename:
sequenceDiagram
participant User
participant CLI
participant EnvVars
participant Cache
participant VirtualEnv
participant AuditService
User->>CLI: Run pip-audit
CLI->>EnvVars: Check for environment variables
CLI->>Cache: Initialize cache directory
Cache->>Cache: Migrate legacy cache (if exists)
CLI->>VirtualEnv: Create isolated environment
VirtualEnv->>VirtualEnv: Install dependencies
VirtualEnv->>AuditService: Query vulnerabilities
AuditService-->>CLI: Return results
CLI-->>User: Display formatted output
|
This PR contains the following updates:
~=2.7.0
->~=2.8.0
Release Notes
pypa/pip-audit (pip-audit)
v2.8.0
Compare Source
Added
pip-audit
now allows some CLI flags to be configured via environmentvariables (#755)
Changed
The default cache locations on macOS and Linux now respect each platform's
caching directory idioms (e.g. XDG)
(#814)
The minimum version of Python is now 3.9
(#846)
Fixed
--disable-pip
now allows forduplicates, so long as the duplicates don't have conflicting specifier sets
(#749)
(#878)
Configuration
📅 Schedule: Branch creation - "* 0-12 * * 3" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.