Updates dependencies (#740)

* Updates dependencies

Upgrades project dependencies, including Black, Pydantic, and others, to their latest versions for improved security, performance, and new features.

Removes the now unneeded `requirements.txt` file and its contents,
This `requirements.txt` has now been deleted as all dependencies will be managed by Poetry.

* Lock file

* Add safety policy and project configuration files; update dependencies and license information

* fix project license config

* safety checks beforetests

* cspell

* key

* [MegaLinter] Apply linters fixes :)

* avoid duplicate runs

---------

Co-authored-by: nvuillam <17500430+nvuillam@users.noreply.github.com>

Author: nvuillam

.cspell.json

@@ -113,6 +113,7 @@
     "encryptable",
     "esktop",
     "esult",
+    "exploitability",
     "finlaymacklon",
     "forcelist",
     "fseventsd",

.github/workflows/build.yml

@@ -1,6 +1,12 @@
 name: build
 
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
 
 jobs:
   build:
@@ -33,10 +39,12 @@ jobs:
         run: |
           make check-codestyle
 
-      - name: Run tests
-        run: |
-          make test
-
       - name: Run safety checks
+        env:
+          SAFETY_API_KEY: ${{ secrets.SAFETY_API_KEY }}
         run: |
           make check-safety
+
+      - name: Run tests
+        run: |
+          make test

.github/workflows/mega-linter.yml

@@ -4,10 +4,12 @@
 name: MegaLinter
 
 on:
-  # Trigger mega-linter at every push. Action will also be visible from Pull Requests to master
-  push: # Comment this line to trigger action only on pull-requests (not recommended if you don't pay for GH Actions)
+  push:
+    branches:
+      - main
   pull_request:
-    branches: [master, main]
+    branches:
+      - main
 
 env: # Comment env block if you do not want to apply fixes
   # Apply linter fixes configuration

.safety-policy.yml

@@ -0,0 +1,55 @@
+version: "3.0"
+
+scanning-settings:
+  max-depth: 6
+  exclude: []
+  include-files: []
+  system:
+    targets: []
+
+report:
+  dependency-vulnerabilities:
+    enabled: true
+    auto-ignore-in-report:
+      python:
+        environment-results: true
+        unpinned-requirements: true
+      vulnerabilities:
+        "51457":
+          reason: Legacy ignore migrated from Safety 2.x `-i 51457` flag
+          expires: "2099-12-31"
+          specifications: []
+      cvss-severity: []
+
+fail-scan-with-exit-code:
+  dependency-vulnerabilities:
+    enabled: true
+    fail-on-any-of:
+      cvss-severity:
+        - high
+        - medium
+        - critical
+      exploitability:
+        - high
+        - medium
+        - critical
+
+security-updates:
+  dependency-vulnerabilities:
+    auto-security-updates-limit:
+      - patch
+
+installation:
+  default-action: allow
+  audit-logging:
+    enabled: true
+  allow:
+    packages: []
+    vulnerabilities: {}
+  deny:
+    packages: {}
+    vulnerabilities:
+      warning-on-any-of:
+        cvss-severity: []
+      block-on-any-of:
+        cvss-severity: []

.safety-project.ini

@@ -0,0 +1,5 @@
+[project]
+id = github-dependents-info
+url = /codebases/github-dependents-info/findings
+name = github-dependents-info
+

Makefile

@@ -54,7 +54,7 @@ mypy:
 .PHONY: check-safety
 check-safety:
 	poetry check
-	poetry run safety check --full-report -i 51457
+	poetry run safety scan --target . --policy-file .safety-policy.yml --detailed-output
 	poetry run bandit -ll --recursive github_dependents_info tests
 
 .PHONY: lint

poetry.lock

@@ -8,7 +8,8 @@ name = "github-dependents-info"
 version = "1.6.3"
 description = "Collect information about dependencies between a github repo and other repositories. Results available in JSON, markdown and badges."
 readme = "README.md"
-license = {file = "LICENSE"}
+license = "MIT"
+license-files = ["LICENSE"]
 authors = [
   {name = "nvuillam", email = "nicolas.vuillamy@gmail.com"},
 ]
@@ -23,7 +24,6 @@ classifiers = [
   "Intended Audience :: Developers",
   "Operating System :: OS Independent",
   "Topic :: Software Development :: Libraries :: Python Modules",
-  "License :: OSI Approved :: MIT License",
   "Programming Language :: Python :: 3",
   "Programming Language :: Python :: 3.9",
 ]
@@ -39,12 +39,13 @@ Repository = "https://github.com/nvuillam/github-dependents-info"
 [tool.poetry.dependencies]
 python = ">=3.10,<4.0"
 
-typer = {extras = ["all"], version = ">=0.4,<0.10"}
-rich = ">=12.6,<14.0"
+click = ">=8.1.7,<8.2"
+typer = {extras = ["all"], version = ">=0.9.4,<0.10"}
+rich = ">=13.9.4,<14.0"
 beautifulsoup4 = "4.12.3"
-pandas = "^2.0.0"
-requests = "^2.32.4"
-idna = ">=3.7"
+pandas = ">=2.3.3,<3.0"
+requests = "^2.32.5"
+idna = ">=3.11"
 
 [tool.poetry.group.dev.dependencies]
 bandit = "^1.7.5"
@@ -64,6 +65,7 @@ coverage-badge = "^1.1.0"
 cryptography = ">=44.0.1"
 pytest-html = "^4.1.1"
 pytest-cov = "^4.0.0"
+marshmallow = ">=3.20,<4.0"
 
 [tool.black]
 # https://github.com/psf/black

pyproject.toml

@@ -1,10 +1,10 @@
-beautifulsoup4==4.12.3 ; python_version >= "3.9" and python_version < "4.0"
-click==8.1.7 ; python_version >= "3.9" and python_version < "4.0"
-colorama==0.4.6 ; python_version >= "3.9" and python_version < "4.0"
-markdown-it-py==4.0.0 ; python_version >= "3.9" and python_version < "4.0"
-mdurl==0.1.2 ; python_version >= "3.9" and python_version < "4.0"
-pygments==2.17.2 ; python_version >= "3.9" and python_version < "4.0"
-rich==13.7.1 ; python_version >= "3.9" and python_version < "4.0"
-shellingham==1.5.4 ; python_version >= "3.9" and python_version < "4.0"
-soupsieve==2.5 ; python_version >= "3.9" and python_version < "4.0"
-typer[all]==0.9.0 ; python_version >= "3.9" and python_version < "4.0"
+beautifulsoup4==4.12.3 ; python_version >= "3.10" and python_version < "4.0"
+click==8.1.7 ; python_version >= "3.10" and python_version < "4.0"
+colorama==0.4.6 ; python_version >= "3.10" and python_version < "4.0"
+markdown-it-py==4.0.0 ; python_version >= "3.10" and python_version < "4.0"
+mdurl==0.1.2 ; python_version >= "3.10" and python_version < "4.0"
+pygments==2.19.2 ; python_version >= "3.10" and python_version < "4.0"
+rich==13.9.4 ; python_version >= "3.10" and python_version < "4.0"
+shellingham==1.5.4 ; python_version >= "3.10" and python_version < "4.0"
+soupsieve==2.8 ; python_version >= "3.10" and python_version < "4.0"
+typer[all]==0.9.4 ; python_version >= "3.10" and python_version < "4.0"