pip-audit VS black

Next up is making sure, none of the dependencies used throughout the project brings with it any already identified security issue. The makefile target audit, invokes the handy tool pip-audit.

Here is my "one true" Makefile for Python projects[1]. The skeleton gets tweaked slightly each time, but it's served me well for 4+ years.

[1]: https://github.com/pypa/pip-audit/blob/main/Makefile

Why use this over the established https://pypi.org/project/pip-audit/ ?

https://pypi.org/project/pip-audit/ details usage and the GitHub Action install.

If it's pure Python, the only packaging file you need is `pyproject.toml`. You can fill that file with packaging metadata per PEP 518 and PEP 621, including using modern build tooling like flit[1] for the build backend and build[2] for the frontend.

With that, you entire package build (for all distribution types) should be reducible to `python -m build`. Here's an example of a full project doing everything with just `pyproject.toml`[3] (FD: my project).

[1]: https://github.com/pypa/flit

[2]: https://github.com/pypa/build

[3]: https://github.com/pypa/pip-audit

- repo: https://github.com/trailofbits/pip-audit rev: v2.4.3 hooks: - id: pip-audit args: [ "-r", "requirements.txt" ] ci: # Leave pip-audit to only run locally and not in CI # pre-commit.ci does not allow network calls skip: [ pip-audit ]

This is really nicely written; kudos to the author for compiling a great deal of information in a readable format.

If I can be forgiven one nitpick: Poetry does not use a PEP 518-style[1] build configuration by default, which means that its use of `pyproject.toml` is slightly out of pace with the rest of the Python packaging ecosystem. That isn't to say that it isn't excellent, because it is! But you the standards have come a long way, and you can now use `pyproject.toml` with any build backend as long as you use the standard metadata.

By way of example, here's a project that's completely PEP 517 and PEP 518 compatible without needing a setup.py or setup.cfg[2]. Everything goes through pyproject.toml.

[1]: https://peps.python.org/pep-0518/

[2]: https://github.com/trailofbits/pip-audit/blob/main/pyproject...

Checking could be done if something like this eventually shows up in safety or pip-audit.

Something like python's pip-audit. For commercial solutions I know there's Snyk and Jfrog we can always purchase, but I'm interested to see if there's an open-source tool that can do this.

$ git commit -m "add pre-commit configuration" [INFO] Initializing environment for https://github.com/psf/black. [INFO] Installing environment for https://github.com/psf/black. [INFO] Once installed this environment will be reused. [INFO] This may take a few minutes... black................................................(no files to check)Skipped [main 6e21eab] add pre-commit configuration 1 file changed, 7 insertions(+)

Black: Known as “The Uncompromising Code Formatter”, Black automatically formats your Python code to conform to the PEP 8 style guide. It takes away the hassle of having to manually adjust your code style.

black @ git+https://github.com/psf/black

In the realm of Python development, there is a multitude of code formatters that adhere to PEP 8 guidelines. Today, we will briefly discuss how to install and utilize black.

Perfect, that worked, thank you!

I thought this could be solved by changing the directory to src/ and then executing that command, but this didn't work.

This also seems to be an issue with the web app, e.g. the repository for the formatter black is only one white dot https://dep-tree-explorer.vercel.app/api?repo=https://github...

Ruff is not only much faster, but it is also very convenient to have an all-in-one solution that replaces multiple other widely used tools: Flake8 (linter), isort (imports sorting), Black (code formatter), autoflake, many Flake8 plugins and more. And it has drop-in parity with these tools, so it is really straightforward to migrate from them to Ruff.

What I am looking for is something like Black for Python, which is opinionated, with reasonable defaults, and auto-fixes most/all issues.

1. LICENSE: This file contains information about the rights and permissions granted to users regarding the use, modification, distribution, and sharing of the software. I already had an MIT License in my project. 2. pyproject.toml: It is a configuration file typically used for specifying build requirements and backend build systems for Python projects. I was already using this file for Black code formatter configuration. 3. README.md: Used as a documentation file for your project, typically includes project overview, installation instructions and optionally, contribution instructions. 4. example_package_YOUR_USERNAME_HERE: One big change I had to face was restructuring my project, essentially packaging all files in this directory. The name of this directory should be what you want to name your package and shoud not conflict with any of the existing packages. Of course, since its a Python Package, it needs to have an __init__.py. 5. tests/: This is where you put all your unit and integration tests, I think its optional as not all projects will have tests. The rest of the project remains as is.

using pylint and black ("the uncompromising code formatter")