Skip to content

fix(ci): split runtime and dev dependency audits (#313)#314

Merged
liujuanjuan1984 merged 1 commit intomainfrom
fix/runtime-audit-split
Mar 25, 2026
Merged

fix(ci): split runtime and dev dependency audits (#313)#314
liujuanjuan1984 merged 1 commit intomainfrom
fix/runtime-audit-split

Conversation

@liujuanjuan1984
Copy link
Collaborator

@liujuanjuan1984 liujuanjuan1984 commented Mar 25, 2026

变更说明

本 PR 将阻塞型依赖审计限制为 runtime 依赖,并把 dev 工具链依赖的漏洞检查留在现有 dependency-health 通道中。

具体调整

  • CI workflow 改为基于 uv.lock 导出的 runtime requirements 执行阻塞型 pip-audit
  • Publish workflow 同样只对 runtime requirements 执行阻塞型 pip-audit
  • scripts/dependency_health.sh 改为导出 dev extra 依赖图并执行 dev dependency audit
  • scripts/README.md 补充 runtime blocking / dev visibility 的脚本说明

背景与原因

当前仓库与另一仓库存在同类问题:CI / Publish 在安装 --all-extras 后直接执行 uv run pip-audit,导致 pytest -> pygmentspip-audit -> rich -> pygments 这类 dev 工具链依赖的漏洞也会阻塞主线 CI 和发版流程。

当前已复现 pygments 2.19.2 / CVE-2026-4539。它不是 runtime 依赖,因此更合理的策略是:

  • runtime 依赖继续阻塞
  • dev 依赖继续可见,但不阻塞无关业务提交和发版

验证记录

  • bash -n scripts/dependency_health.sh
    • 结果:通过
  • git diff --check
    • 结果:通过
  • bash ./scripts/doctor.sh
    • 结果:通过,364 passed
  • uv export --format requirements.txt --no-dev --locked --no-emit-project --output-file /tmp/opencode-runtime-req-final.txt >/dev/null && uv run pip-audit --requirement /tmp/opencode-runtime-req-final.txt
    • 结果:No known vulnerabilities found
  • bash ./scripts/dependency_health.sh
    • 结果:仍报 pygments 2.19.2 / CVE-2026-4539,符合“保留 dev 依赖风险可见性”的预期

关联 Issue

@liujuanjuan1984 liujuanjuan1984 marked this pull request as ready for review March 25, 2026 11:59
@liujuanjuan1984 liujuanjuan1984 merged commit 2f3c346 into main Mar 25, 2026
3 checks passed
@liujuanjuan1984 liujuanjuan1984 deleted the fix/runtime-audit-split branch March 25, 2026 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Priority: High] [CI/Security] 将阻塞型依赖审计限制为 runtime 依赖并保留 dev 可见性

1 participant

@liujuanjuan1984