konflux-ci · jajreidy · Mar 30, 2026 · Mar 27, 2026
@@ -31,6 +31,14 @@ jobs:
           pip install -e ".[dev]"
           pip install safety bandit
 
+      # pip-audit: fail on new OSV/PyPI advisories. Pygments CVE-2026-4539 (dev-only via pytest/diff-cover):
+      # no release >2.19.2 on PyPI yet — remove these --ignore-vuln flags when pyproject pins pygments>=2.19.3.
+      - name: Run pip-audit
+        run: |
+          pip-audit -l --desc on \
+            --ignore-vuln CVE-2026-4539 \
+            --ignore-vuln GHSA-5239-wwwm-4pmq
+
       - name: Run Safety check
         run: |
           safety check --json || safety check

@@ -105,6 +105,7 @@ celerybeat.pid
 
 # Environments
 .env
+.audit-venv/
 .venv
 env/
 venv/

@@ -24,6 +24,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Username/password (Basic Auth) support for packages.redhat.com
 
 ### Changed
+- Raised minimum versions for runtime (`httpx`, `pydantic`, `click`) and dev tooling in `pyproject.toml` / `setup.py`; build-system uses newer `setuptools`/`setuptools-scm`
+- Removed Sphinx and sphinx-rtd-theme from optional `dev` extras (in-tree docs build was removed earlier); Pygments may still be installed transitively (e.g. `pytest`, `diff-cover`)
 - Local `--artifact-results` folder path: `distributions` in `pulp_results.json` no longer includes a synthetic `artifacts` pulp-content URL (artifacts repo was already skipped; URL map now aligns)
 - `upload --target-arch-repo`: `pulp_results.json` `distributions` keys for per-arch RPM bases are `rpm_<arch>` instead of bare architecture names (e.g. `rpm_x86_64` not `x86_64`)
 - `upload` / `upload-files`: infer whether log and SBOM repos are needed before repository setup (directory `*.log` scan or `--results-json` artifact keys; SBOM via `--sbom-path` or SBOM-classified keys); omitted types are excluded from results `distributions`; clear errors if uploads are attempted without the matching repository
@@ -33,6 +35,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `upload --target-arch-repo` with `--signed-by`: RPM paths remain `{arch}/` only (no `{arch}/rpms-signed`); signing is via `signed_by` label on content
 - `pull`: use each artifact's ``url`` from pulp_results.json when present instead of synthesizing download URLs from distribution entries
 
+### Security
+- Added **`pip-audit`** to optional `dev` dependencies, **`make audit`** (isolated **`.audit-venv`** with **`pip-audit -l`**, same **CVE-2026-4539** / **GHSA-5239-wwwm-4pmq** ignores as CI until Pygments **>2.19.2** is on PyPI), and **`pip-audit -l`** in **`security-scan.yml`**; when a fixed Pygments is released, pin **`pygments>=…`** under `dev` in `pyproject.toml` / `setup.py` and drop the workflow/Makefile ignores
+- Optional docs stack (Sphinx) remains removed from `dev` extras; **CVE-2026-4539** still applies to transitive Pygments from **`pytest`** and **`diff-cover`** until a patched wheel is published
+
 ### Fixed
 - Generic `/api/v3/content/` responses that are a bare JSON array (not `{"results": [...]}`) no longer crash gather-by-href or `_find_artifact_content` with `TypeError: list indices must be integers or slices, not str`
 - Results JSON RPM URLs with `--signed-by`: use the `rpms-signed` distribution base (`distributions.rpms_signed` / correct artifact `url`) instead of the unsigned `rpms` path

@@ -1,8 +1,9 @@
 # Makefile for pulp-tool development tasks
 
 COMPARE_BRANCH ?= origin/main
+AUDIT_VENV ?= .audit-venv
 
-.PHONY: help install install-dev test test-diff-coverage lint format check clean
+.PHONY: help install install-dev test test-diff-coverage lint format check clean audit
 
 # Default target
 help:
@@ -14,6 +15,7 @@ help:
 	@echo "  make lint         - Run all linters"
 	@echo "  make format       - Format code with Black"
 	@echo "  make check        - Run all checks (lint + test)"
+	@echo "  make audit        - Run pip-audit in a throwaway venv (only this project's dev deps)"
 	@echo "  make clean        - Clean build artifacts"
 	@echo ""
 	@echo "  Diff coverage base: COMPARE_BRANCH=origin/main (override for e.g. origin/release-1.0)"
@@ -68,6 +70,18 @@ format:
 # Run all checks
 check: lint test
 
+# Pygments CVE-2026-4539: no wheel >2.19.2 on PyPI yet (transitive via pytest/diff-cover). Drop when pinning pygments>=2.19.3.
+AUDIT_IGNORES := --ignore-vuln CVE-2026-4539 --ignore-vuln GHSA-5239-wwwm-4pmq
+
+audit:
+	@echo "pip-audit: creating $(AUDIT_VENV), installing .[dev]..."
+	@rm -rf "$(AUDIT_VENV)" && python3 -m venv "$(AUDIT_VENV)" && \
+	 "$(AUDIT_VENV)/bin/python" -m pip install -q -U pip && \
+	 "$(AUDIT_VENV)/bin/python" -m pip install -q -e ".[dev]" && \
+	 "$(AUDIT_VENV)/bin/pip-audit" -l --desc on $(AUDIT_IGNORES)
+	@rm -rf "$(AUDIT_VENV)"
+	@echo "pip-audit: OK"
+
 # Cleanup
 clean:
 	rm -rf build/

@@ -1,5 +1,5 @@
 [build-system]
-requires = ["setuptools>=45", "wheel", "setuptools_scm[toml]>=6.2"]
+requires = ["setuptools>=69.0", "wheel", "setuptools_scm[toml]>=8.0"]
 build-backend = "setuptools.build_meta"
 
 [project]
@@ -27,34 +27,34 @@ classifiers = [
 ]
 requires-python = ">=3.12"
 dependencies = [
-    "httpx>=0.24.0",
-    "pydantic>=2.0.0",
-    "click>=8.0.0",
+    "httpx>=0.27.0",
+    "pydantic>=2.10.0",
+    "click>=8.1.0",
 ]
 
 [project.optional-dependencies]
 dev = [
     # Testing
-    "pytest>=6.0",
-    "pytest-asyncio>=0.21.0",
-    "pytest-cov>=2.0",
-    "pytest-mock>=3.6",
-    "respx>=0.20.0",
+    "pytest>=8.0",
+    "pytest-asyncio>=0.24.0",
+    "pytest-cov>=6.0",
+    "pytest-mock>=3.14.0",
+    "respx>=0.22.0",
     "diff-cover>=7.0",
     # Code formatting and linting
-    "black>=25.0",
-    "flake8>=3.8",
-    "mypy>=0.800",
-    "pylint>=2.8",
+    "black>=25.1.0",
+    "flake8>=7.0",
+    "mypy>=1.11.0",
+    "pylint>=3.3.0",
     # Pre-commit hooks
-    "pre-commit>=3.0.0",
+    "pre-commit>=4.0.0",
     # Build tools
-    "setuptools>=45",
+    "setuptools>=69.0",
     "wheel",
-    "setuptools-scm[toml]>=6.2",
-    # Documentation
-    "sphinx>=4.0",
-    "sphinx-rtd-theme>=1.0",
+    "setuptools-scm[toml]>=8.0",
+    # Dependency CVE audit (local: make audit). When Pygments >2.19.2 is on PyPI, add
+    # "pygments>=2.19.3" here and remove CVE-2026-4539 ignores from .github/workflows/security-scan.yml.
+    "pip-audit>=2.7.0",
 ]
 
 [project.scripts]

@@ -44,27 +44,27 @@ def read_readme():
     # Dependencies are defined in pyproject.toml
     # Duplicated here for pip install compatibility
     install_requires=[
-        "httpx>=0.24.0",
-        "pydantic>=2.0.0",
-        "click>=8.0.0",
+        "httpx>=0.27.0",
+        "pydantic>=2.10.0",
+        "click>=8.1.0",
     ],
     extras_require={
         "dev": [
-            "pytest>=6.0",
-            "pytest-cov>=2.0",
-            "pytest-mock>=3.6",
-            "respx>=0.20.0",
+            "pytest>=8.0",
+            "pytest-asyncio>=0.24.0",
+            "pytest-cov>=6.0",
+            "pytest-mock>=3.14.0",
+            "respx>=0.22.0",
             "diff-cover>=7.0",
-            "black>=21.0",
-            "flake8>=3.8",
-            "mypy>=0.800",
-            "pylint>=2.8",
-            "pre-commit>=3.0.0",
-            "setuptools>=45",
+            "black>=25.1.0",
+            "flake8>=7.0",
+            "mypy>=1.11.0",
+            "pylint>=3.3.0",
+            "pre-commit>=4.0.0",
+            "setuptools>=69.0",
             "wheel",
-            "setuptools-scm[toml]>=6.2",
-            "sphinx>=4.0",
-            "sphinx-rtd-theme>=1.0",
+            "setuptools-scm[toml]>=8.0",
+            "pip-audit>=2.7.0",
         ],
     },
     entry_points={
-Original file line number
+Diff line change
@@ Expand Up / @@ -105,6 +105,7 @@ celerybeat.pid @@
     # Environments
     .env
+    .audit-venv/
     .venv
     env/
     venv/
@@ Expand Down @@