Thank you for your interest in contributing to pip-audit!
The information below will help you set up a local development environment, as well as performing common development tasks.
pip-audit's only development environment requirement should be Python 3.8
or newer. Development and testing is actively performed on macOS and Linux,
but Windows and other supported platforms that are supported by Python
should also work.
If you're on a system that has GNU Make, you can use the convenience targets
included in the Makefile that comes in the pip-audit repository detailed
below. But this isn't required; all steps can be done without Make.
First, clone this repository:
git clone https://github.com/pypa/pip-audit
cd pip-auditThen, use one of the Makefile targets to run a task. The first time this is
run, this will also set up the local development virtual environment, and will
install pip-audit as an editable package into this environment.
Any changes you make to the pip_audit source tree will take effect
immediately in the virtual environment.
You can lint locally with:
make lintpip-audit is automatically linted and formatted with a collection of tools:
ruff: Formatting, PEP-8 linting, style enforcementmypy: Static type checkinginterrogate: Documentation coverage
To automatically apply any lint-suggested changes, you can run:
make reformatYou can run the tests locally with:
make testYou can also filter by a pattern (uses pytest -k):
make test TESTS=test_audit_dry_runTo test a specific file:
make test T=path/to/file.pypip-audit has a pytest-based unit test suite,
including code coverage with coverage.py.
You can run the documentation build locally:
make docpip-audit uses pdoc3 to generate HTML documentation for
the public Python APIs.
Live documentation for the main branch is hosted
here. Only the public APIs are
documented, all undocumented APIs are intentionally private and unstable.
NOTE: If you're a non-maintaining contributor, you don't need the steps here! They're documented for completeness and for onboarding future maintainers.
Releases of pip-audit are managed with bump
and GitHub Actions.
The following manual steps are required:
-
Create a new development branch for the release. For example:
$ git checkout -b prepare-1.0.0 -
Update
pip-audit's__version__attribute. It can be found underpip_audit/__init__.py.Note: You can do this automatically with
bump:# See bump --help for all options $ bump --major
-
Commit your changes to the branch and create a new Pull Request.
-
Tag another maintainer for review. Once approved, you may merge your PR.
-
Create a new tag corresponding to the merged version change. For example:
# IMPORTANT: don't forget the `v` prefix! $ git tag v1.0.0
-
Push the new tag:
$ git push origin v1.0.0 -
Use the releases page to create a new release, marking it as a "pre-release" if appropriate.
-
Copy the relevant CHANGELOG entries into the release notes.
-
Save and publish the release. The CI will take care of all other tasks.
Here are some guidelines to follow if you're working on a new feature or changes to
pip-audit's internal APIs:
-
Keep the
pip-auditAPIs as private as possible. Nearly all ofpip-audit's APIs should be private and treated as unstable and unsuitable for public use. If you're adding a new module to the source tree, prefix the filename with an underscore to emphasize that it's an internal (e.g.,pip_audit/_foo.pyinstead ofpip_audit/foo.py). -
Keep the CLI consistent with
pip.pip-audit's CLI should roughly mirror that ofpip. If you're adding a new flag or option to the CLI, check whetherpipalready has the same functionality (e.g., HTTP timeout control) and use the same short and long mnemonics. -
Perform judicious debug logging.
pip-audituses the standard Pythonloggingmodule. Uselogger.debugearly and often -- users who experience errors can submit better bug reports when their debug logs include helpful context! -
Update the CHANGELOG. If your changes are public or result in changes to
pip-audit's CLI, please record them under the "Unreleased" section, with an entry in an appropriate subsection ("Added", "Changed", "Removed", or "Fixed").