Skip to content

Release v2.0.0

Compare
Choose a tag to compare
@github-actions github-actions released this 18 Feb 15:29
03578f1

2.0.0 - 2022-02-18

Added

  • CLI: The --fix flag has been added, allowing users to attempt to automatically upgrade any vulnerable dependencies to the first safe version available (#212, #222)
  • CLI: The combination of --fix and --dry-run is now supported, causing pip-audit to perform the auditing step but not any resulting fix steps (#223)
  • CLI: The --require-hashes flag has been added which can be used in conjunction with -r to check that all requirements in the file have an associated hash (#229)
  • CLI: The --index-url flag has been added, allowing users to use custom package indices when running with the -r flag (#238)
  • CLI: The --extra-index-url flag has been added, allowing users to use multiple package indices when running with the -r flag (#238)

Changed

  • pip-audit's minimum Python version is now 3.7.
  • CLI: The default output format is now correctly pluralized (#221)
  • Output formats: The SBOM output formats (--format=cyclonedx-xml and --format=cyclonedx-json) now use CycloneDX Schema 1.4 (#216)
  • Vulnerability sources: When using PyPI as a vulnerability service, any hashes provided in a requirements file are checked against those reported by PyPI (#229)
  • Vulnerability sources: pip-audit now uniques each result based on its alias set, reducing the amount of duplicate information in the default columnar output format (#232)
  • CLI: pip-audit now prints its output more frequently, including when there are no discovered vulnerabilities but packages were skipped. Similarly, "manifest" output formats (JSON, CycloneDX) are now emitted unconditionally (#240)

Fixed

  • CLI: A regression causing excess output during pip audit -r was fixed (#226)