2.0.0 - 2022-02-18
Added
- CLI: The --fix flag has been added, allowing users to attempt to automatically upgrade any vulnerable dependencies to the first safe version available (#212, #222)
- CLI: The combination of --fix and --dry-run is now supported, causing pip-audit to perform the auditing step but not any resulting fix steps (#223)
- CLI: The --require-hashes flag has been added which can be used in conjunction with -r to check that all requirements in the file have an associated hash (#229)
- CLI: The --index-url flag has been added, allowing users to use custom package indices when running with the -r flag (#238)
- CLI: The --extra-index-url flag has been added, allowing users to use multiple package indices when running with the -r flag (#238)
Changed
- pip-audit's minimum Python version is now 3.7.
- CLI: The default output format is now correctly pluralized (#221)
- Output formats: The SBOM output formats (--format=cyclonedx-xml and --format=cyclonedx-json) now use CycloneDX Schema 1.4 (#216)
- Vulnerability sources: When using PyPI as a vulnerability service, any hashes provided in a requirements file are checked against those reported by PyPI (#229)
- Vulnerability sources: pip-audit now uniques each result based on its alias set, reducing the amount of duplicate information in the default columnar output format (#232)
- CLI: pip-audit now prints its output more frequently, including when there are no discovered vulnerabilities but packages were skipped. Similarly, "manifest" output formats (JSON, CycloneDX) are now emitted unconditionally (#240)
Fixed
- CLI: A regression causing excess output during pip audit -r was fixed (#226)