Releases · pypa/pip-audit

2.0.0 - 2022-02-18

Added

CLI: The --fix flag has been added, allowing users to attempt to automatically upgrade any vulnerable dependencies to the first safe version available (#212, #222)
CLI: The combination of --fix and --dry-run is now supported, causing pip-audit to perform the auditing step but not any resulting fix steps (#223)
CLI: The --require-hashes flag has been added which can be used in conjunction with -r to check that all requirements in the file have an associated hash (#229)
CLI: The --index-url flag has been added, allowing users to use custom package indices when running with the -r flag (#238)
CLI: The --extra-index-url flag has been added, allowing users to use multiple package indices when running with the -r flag (#238 )

Changed

pip-audit's minimum Python version is now 3.7.
CLI: The default output format is now correctly pluralized (#221)
Output formats: The SBOM output formats (--format=cyclonedx-xml and --format=cyclonedx-json) now use CycloneDX Schema 1.4 (#216)
Vulnerability sources: When using PyPI as a vulnerability service, any hashes provided in a requirements file are checked against those reported by PyPI (#229)
Vulnerability sources: pip-audit now uniques each result based on its alias set, reducing the amount of duplicate information in the default columnar output format (#232)
CLI: pip-audit now prints its output more frequently, including when there are no discovered vulnerabilities but packages were skipped. Similarly, "manifest" output formats (JSON, CycloneDX) are now emitted unconditionally (#240 )

Fixed

Provide feedback