Skip to content

chore(deps-dev): update pip-audit requirement from <3.0.0,>=2.4.4 to >=2.10.0,<3.0.0#1141

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/main/pip-audit-gte-2.10.0-and-lt-3.0.0
Open

chore(deps-dev): update pip-audit requirement from <3.0.0,>=2.4.4 to >=2.10.0,<3.0.0#1141
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/main/pip-audit-gte-2.10.0-and-lt-3.0.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 13, 2026

Updates the requirements on pip-audit to permit the latest version.

Release notes

Sourced from pip-audit's releases.

v2.10.0

Added

  • pip-audit now supports the --osv-url URL flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records (#810)

  • pip-audit now supports the Ecosyste.ms vulnerability service with --vulnerability-service=esms (#903).

Changed

  • The minimum version of Python is now 3.10 (#905)

Fixed

  • Fixed a bug where pip-audit would fail to parse pyproject.toml files containing TOML 1.0.0 features (#910)

  • CycloneDX JSON/XML output now correctly links vulnerabilities to their affected components via the affects field (#980)

Changelog

Sourced from pip-audit's changelog.

[2.10.0]

Added

  • pip-audit now supports the --osv-url URL flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records (#810)

  • pip-audit now supports the Ecosyste.ms vulnerability service with --vulnerability-service=esms (#903).

Changed

  • The minimum version of Python is now 3.10 (#905)

Fixed

  • Fixed a bug where pip-audit would fail to parse pyproject.toml files containing TOML 1.0.0 features (#910)

  • CycloneDX JSON/XML output now correctly links vulnerabilities to their affected components via the affects field (#980)

[2.9.0]

Added

  • pip-audit now supports PEP 751 lockfiles. These lockfiles can be audited in "project" mode by passing --locked to pip-audit (#888)

[2.8.0]

Added

  • pip-audit now allows some CLI flags to be configured via environment variables (#755)

Changed

  • The default cache locations on macOS and Linux now respect each platform's caching directory idioms (e.g. XDG) (#814)

... (truncated)

Commits
  • dec2165 chore: prep release v2.10.0 (#905)
  • d191a22 Fix CycloneDX vulnerability-component linking (#980) (#981)
  • a3f69b1 dependabot: add cooldowns (#978)
  • 42df1b2 build(deps): bump astral-sh/setup-uv from 7.1.3 to 7.1.4 (#976)
  • d4cbb66 build(deps): bump actions/checkout from 5.0.1 to 6.0.0 (#977)
  • 0f2889d build(deps): bump github/codeql-action from 4.31.3 to 4.31.4 (#975)
  • ad15644 build(deps): bump actions/checkout from 5.0.0 to 5.0.1 (#974)
  • 831ca98 build(deps): bump astral-sh/setup-uv from 7.1.2 to 7.1.3 (#972)
  • afeb9ea build(deps): bump github/codeql-action from 4.31.2 to 4.31.3 (#973)
  • 2969e7c build(deps): bump github/codeql-action from 4.31.0 to 4.31.2 (#971)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps-dev): update pip-audit requirement
f385567 
Updates the requirements on [pip-audit](https://github.com/pypa/pip-audit) to permit the latest version.
- [Release notes](https://github.com/pypa/pip-audit/releases)
- [Changelog](https://github.com/pypa/pip-audit/blob/main/CHANGELOG.md)
- [Commits](pypa/pip-audit@v2.4.4...v2.10.0)

---
updated-dependencies:
- dependency-name: pip-audit
  dependency-version: 2.10.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 13, 2026
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jenstroeger jenstroeger Awaiting requested review from jenstroeger jenstroeger is a code owner

@behnazh behnazh Awaiting requested review from behnazh behnazh is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants