thePR0M3TH3AN/seedPass
1
0
Fork 0
mirror of https://github.com/PR0M3TH3AN/SeedPass.git synced 2025-09-08 07:18:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: add dependency auditing

Browse Source
This commit is contained in:
thePR0M3TH3AN
2025-08-03 08:32:57 -04:00
parent f66e8b4776
commit 5acd1d489d
3 changed files with 55 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.github/dependabot.yml vendored Normal file
View File

@@ -0,0 +1,10 @@
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"

25
.github/workflows/dependency-audit.yml vendored Normal file
View File

@@ -0,0 +1,25 @@
name: Dependency Audit
on:
schedule:
- cron: '0 0 * * 0'
workflow_dispatch:
permissions:
contents: read
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r src/requirements.txt
pip install pip-audit
- name: Run pip-audit
run: pip-audit -r requirements.lock --ignore-vuln GHSA-wj6h-64fc-37mp

20
README.md
View File

@@ -36,6 +36,7 @@ SeedPass now uses the `portalocker` library for cross-platform file locking. No
- [Building a standalone executable](#building-a-standalone-executable) - [Building a standalone executable](#building-a-standalone-executable)
- [Packaging with Briefcase](#packaging-with-briefcase) - [Packaging with Briefcase](#packaging-with-briefcase)
- [Security Considerations](#security-considerations) - [Security Considerations](#security-considerations)
- [Dependency Updates](#dependency-updates)
- [Contributing](#contributing) - [Contributing](#contributing)
- [License](#license) - [License](#license)
- [Contact](#contact) - [Contact](#contact)
@@ -743,6 +744,25 @@ For local testing, Uvicorn can run with TLS directly:
uvicorn seedpass.api:app --ssl-certfile=cert.pem --ssl-keyfile=key.pem uvicorn seedpass.api:app --ssl-certfile=cert.pem --ssl-keyfile=key.pem
``` ```
## Dependency Updates
Automated dependency updates are handled by [Dependabot](https://docs.github.com/en/code-security/dependabot).
Every week, Dependabot checks Python packages and GitHub Actions used by this repository and opens pull requests when updates are available.
To review and merge these updates:
1. Review the changelog and release notes in the Dependabot pull request.
2. Run the test suite locally:
```bash
python3 -m venv venv
source venv/bin/activate
pip install -r src/requirements.txt
pytest
```
3. Merge the pull request once all checks pass.
A scheduled **Dependency Audit** workflow also runs [`pip-audit`](https://github.com/pypa/pip-audit) weekly to detect vulnerable packages. Address any reported issues promptly to keep dependencies secure.
## Contributing ## Contributing
Contributions are welcome! If you have suggestions for improvements, bug fixes, or new features, please follow these steps: Contributions are welcome! If you have suggestions for improvements, bug fixes, or new features, please follow these steps: