pip-audit VS setup-dvc

Compare pip-audit vs setup-dvc and see what are their differences.

pip-audit

Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them (by pypa)

setup-dvc

DVC GitHub action (by iterative)
Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
pip-audit setup-dvc
22 1
903 29
2.2% -
8.8 2.9
6 days ago about 2 months ago
Python JavaScript
Apache License 2.0 -
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

pip-audit

Posts with mentions or reviews of pip-audit. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-01-18.

setup-dvc

Posts with mentions or reviews of setup-dvc. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2021-12-20.
  • Pre-commit: framework for managing/maintaining multi-language pre-commit hooks
    9 projects | news.ycombinator.com | 20 Dec 2021
    Here's our setup, which is the result of several iterations and ergonomics refinements. Note: our stack is 90% python, with TS for frontend. Also 95% devs use mac (there's one data scientist on windows, he uses WSL).

    We install enough utilities with `brew` to get pyenv working, use that to build all python versions. Then iirc `brew install pipx`, maybe it's `pip3 install --user pipx`. Anyway, that's the only python library binary installed outside a venv.

    Pipx installs isort, black, dvc, and pre-commit.

    Every repo has a Makefile. This drives all the common operations. Pyproject.toml (/eslint.json?) set the config for isort and black (or eslint). `make format` runs isort and black on python, eslint on js. `make lint` just verifies.

    Pre-commit only runs the lint, it doesn't format. It also runs some scripts to ensure you aren't accidentally committing large files. Pre-commit also runs several DVC actions (the default dvc hooks) on commit, push, and checkout. These run in a venv managed by pre-commit. We just pin the version.

    Github actions has a dedicated lint.yaml which runs a python linter action. We use the black version here to define which black pipx installs. We use `act` if we wanna see how an action runs without sending a commit just to trigger jobs.

    As an aside, I'm still fiddling with the dvc `pre-commit` post-checkout hooks. They don't always pull the files when they ought to.

    Most of the actual unit/integration tests run in containers, but they can run in a venv with the same logic, thanks to makefile. We use a dvc action to sync files in CI.

    So yeah there's technically 2 copies of black and dvc, but we just use pinning. In practice, we've only had one issue with discrepancies in behavior locally vs CI, which was local black not catching a rule to avoid ''' for docstrings; using """ fixed it. On the whole, pre-commit saves against a lot of annoying goofs, but CI system is law, so we largely harmonize against that.

    IMHO, this is the least egregious "double accounting" we have in local vs staging ci vs production ci (I lost that battle, manager would rather keep staing.yaml and production.yaml, rather than parameterize. Shrug.gif).

    Technologies referenced:

    https://dvc.org/

    https://github.com/iterative/setup-dvc

    https://github.com/marketplace/actions/python-linter

    https://github.com/nektos/act

What are some alternatives?

When comparing pip-audit and setup-dvc you can also consider the following projects:

ochrona-cli - A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs

pre-commit-hooks.nix - Seamless integration of https://pre-commit.com git hooks with Nix.

npm-esbuild-audit

aura - Python source code auditing and static analysis on a large scale

tox-poetry-installer - A plugin for Tox that lets you install test environment dependencies from the Poetry lockfile

dvc - 🦉 ML Experiments and Data Management with Git

squelch

yapf - A formatter for Python files

tan - The uncompromising Python code formatter

in-toto - in-toto is a framework to protect supply chain integrity.

husky - Git hooks made easy 🐶 woof!