Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 2 commits
- 14 files changed
- 3 contributors
Commits on Mar 5, 2026
-
fix: harden pip install against supply chain attacks (#415)
- Expand requirements.txt via pip-compile to pin all transitive dependencies - Add --no-deps to Dockerfile pip install to prevent runtime dep resolution Resolves pip-install-no-hash-check security alert. Co-authored-by: Copilot <[email protected]>
Commits on Mar 8, 2026
-
build: switch from pip to uv for dependency management (#416)
* build: switch from pip to uv for dependency management ## What Replace pip-based dependency management with uv across the project, consolidating requirements.txt and requirements-test.txt into pyproject.toml with a generated uv.lock. Add a workflow to keep uv.lock in sync on Dependabot PRs. ## Why uv provides faster installs, deterministic lockfile resolution, and a simpler single-tool workflow for dependency and virtualenv management. ## Notes - Dockerfile now copies uv binary from ghcr.io/astral-sh/uv:latest and uses uv sync --frozen --no-dev instead of pip install - CI workflows use astral-sh/setup-uv with caching enabled - test_contributors.py reformatted by black (with-statement style change) - Dependabot will update pyproject.toml but does not natively understand uv.lock, so update-uv-lock.yml auto-commits the regenerated lockfile back to Dependabot PR branches - If branch protection requires signed commits, the update-uv-lock workflow may need a GitHub App token instead of GITHUB_TOKEN - Update CI matrix to include python 3.13 and 3.14 Signed-off-by: jmeridth <[email protected]> * fix: address PR review feedback for uv migration ## What Pin the uv Docker image to a versioned digest, restore unbuffered Python output in the container, and update the super-linter workflow to use uv instead of the deleted requirements files. ## Why The review identified three issues: supply-chain risk from using a mutable :latest tag, loss of unbuffered stdout/stderr behavior needed for GitHub Actions log streaming, and the super-linter workflow still referencing the removed requirements.txt files. ## Notes - uv image pinned to 0.10.9@sha256:10902f58... — will need Dependabot or manual updates to rotate - PYTHONUNBUFFERED=1 replaces the previous python3 -u entrypoint flag Signed-off-by: jmeridth <[email protected]> * fix: address super-linter CI failures ## What Fix zizmor bot-conditions audit and codespell false positive on uv.lock. ## Why The zizmor audit flagged github.actor as spoofable since it refers to the last actor to modify the PR, not the creator. Codespell flagged "astroid" (a real Python package) in uv.lock as a misspelling of "asteroid". ## Notes - Replaced github.actor with github.event.pull_request.user.login which refers to the PR creator and cannot be spoofed by later commits - Added .codespellrc to ignore-words-list for "astroid" Signed-off-by: jmeridth <[email protected]> * fix: exclude .venv from jscpd duplicate detection ## What Add .venv to jscpd ignore list in the linter configuration. ## Why The uv sync step creates a .venv in the workspace during CI. jscpd was scanning vendored C files inside mypyc and reporting 50.58% duplication over the 50% threshold, failing the super-linter check. ## Notes - This only became an issue after switching to uv, which creates .venv in the workspace rather than installing into the system Python Signed-off-by: jmeridth <[email protected]> --------- Signed-off-by: jmeridth <[email protected]>
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v2.0.2...v2.0.3