Package
Other
Description
Summary
scripts/check_dependency_confusion.py currently looks for a non-standard section marker ([project.dependencies]) when scanning pyproject.toml files.
In this repository, Python packages use standard PEP 621 layout ([project] + dependencies = [...]), so this path can miss dependency entries in strict scanning mode.
Affected file
scripts/check_dependency_confusion.py (function: check_pyproject_toml)
Root cause
The parser toggles dependency scanning only when a line starts with [project.dependencies], but standard pyproject files declare dependencies under [project] as an array key.
Why this matters
This script is used by CI security gates and weekly audit workflows. Missing standard dependency declarations reduces dependency-confusion coverage for Python manifests.
Proposed fix
Update check_pyproject_toml to parse standard PEP 621 dependency structure ([project] dependencies and optional-dependencies) robustly.
Suggested tests
Add dedicated tests for scripts/check_dependency_confusion.py to verify:
- Standard
[project] dependencies = [...] entries are scanned.
[project.optional-dependencies] entries are scanned.- Registered packages are accepted.
- Unregistered packages are flagged.
- Existing local-only package severity behavior is preserved.
Acceptance criteria
- Scanner flags unregistered packages declared in standard
[project] dependencies.
- Existing strict scan behavior for requirements/notebooks/package.json/Cargo.toml remains unchanged.
- New regression tests cover the pyproject parsing path.
Code of Conduct
Package
Other
Description
Summary
scripts/check_dependency_confusion.pycurrently looks for a non-standard section marker ([project.dependencies]) when scanningpyproject.tomlfiles.In this repository, Python packages use standard PEP 621 layout (
[project]+dependencies = [...]), so this path can miss dependency entries in strict scanning mode.Affected file
scripts/check_dependency_confusion.py(function:check_pyproject_toml)Root cause
The parser toggles dependency scanning only when a line starts with
[project.dependencies], but standard pyproject files declare dependencies under[project]as an array key.Why this matters
This script is used by CI security gates and weekly audit workflows. Missing standard dependency declarations reduces dependency-confusion coverage for Python manifests.
Proposed fix
Update
check_pyproject_tomlto parse standard PEP 621 dependency structure ([project]dependenciesandoptional-dependencies) robustly.Suggested tests
Add dedicated tests for
scripts/check_dependency_confusion.pyto verify:[project]dependencies = [...]entries are scanned.[project.optional-dependencies]entries are scanned.Acceptance criteria
[project]dependencies.Code of Conduct