chore: prep release v2.10.0 (#905)

Author: woodruffw

.github/workflows/ci.yml

@@ -6,7 +6,7 @@ on:
       - main
   pull_request:
   schedule:
-    - cron: '0 12 * * *'
+    - cron: "0 12 * * *"
 
 permissions: {}
 
@@ -15,18 +15,18 @@ jobs:
     strategy:
       matrix:
         python:
-          - "3.9"
           - "3.10"
           - "3.11"
           - "3.12"
           - "3.13"
+          - "3.14"
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ matrix.python }}
           cache: "pip"
@@ -50,7 +50,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           # Always test with latest Python on Windows.
           python-version: "3.x"
@@ -79,7 +79,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: "3.x"
 

.github/workflows/docs.yml

@@ -15,7 +15,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           # NOTE: We use 3.10+ typing syntax via future, which pdoc only
           # understands if it's actually run with Python 3.10 or newer.

.github/workflows/lint.yml

@@ -16,9 +16,9 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
-          python-version: "3.9"
+          python-version: "3.10"
           cache: "pip"
           cache-dependency-path: pyproject.toml
 
@@ -32,12 +32,12 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         # NOTE(ww): Important: use pip-audit's minimum supported Python version
         # in this check, since Python can change the `--help` rendering in
         # `argparse` between major versions.
         with:
-          python-version: "3.9"
+          python-version: "3.10"
           cache: "pip"
           cache-dependency-path: pyproject.toml
 

.github/workflows/release.yml

@@ -23,7 +23,7 @@ jobs:
       with:
         persist-credentials: false
 
-    - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version-file: pyproject.toml
 

.github/workflows/scorecards.yml

@@ -48,6 +48,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         with:
           sarif_file: results.sarif

.github/workflows/zizmor.yml

@@ -6,31 +6,19 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions: {}
+
 jobs:
   zizmor:
-    name: zizmor latest via PyPI
+    name: Run zizmor 🌈
     runs-on: ubuntu-latest
     permissions:
       security-events: write
-      # required for workflows in private repositories
-      contents: read
-      actions: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
 
-      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
-
       - name: Run zizmor 🌈
-        run: uvx zizmor --format sarif . > results.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
-        with:
-          sarif_file: results.sarif
-          category: zizmor
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0

.pre-commit-config.yaml

@@ -27,7 +27,7 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pypa/pip-audit
-    rev: v2.9.0
+    rev: v2.10.0
     hooks:
       - id: pip-audit
   - repo: https://github.com/rhysd/actionlint

CHANGELOG.md

@@ -8,6 +8,8 @@ All versions prior to 0.0.9 are untracked.
 
 ## [Unreleased]
 
+## [2.10.0]
+
 ### Added
 
 * `pip-audit` now supports the `--osv-url URL` flag, which can be used to
@@ -20,8 +22,17 @@ All versions prior to 0.0.9 are untracked.
   `--vulnerability-service=esms`
   ([#903](https://github.com/pypa/pip-audit/pull/903)).
 
+### Changed
+
+* The minimum version of Python is now 3.10
+  ([#905](https://github.com/pypa/pip-audit/pull/905))
+
 ### Fixed
 
+* Fixed a bug where `pip-audit` would fail to parse `pyproject.toml` files
+  containing TOML 1.0.0 features
+  ([#910](https://github.com/pypa/pip-audit/pull/910))
+
 * CycloneDX JSON/XML output now correctly links vulnerabilities to their
   affected components via the `affects` field
   ([#980](https://github.com/pypa/pip-audit/issues/980))
@@ -647,7 +658,8 @@ All versions prior to 0.0.9 are untracked.
   dependency errors ([#146](https://github.com/pypa/pip-audit/pull/146))
 
 <!-- Release URLs -->
-[Unreleased]: https://github.com/pypa/pip-audit/compare/v2.9.0...HEAD
+[Unreleased]: https://github.com/pypa/pip-audit/compare/v2.10.0...HEAD
+[2.10.0]: https://github.com/pypa/pip-audit/compare/v2.9.0...v2.10.0
 [2.9.0]: https://github.com/pypa/pip-audit/compare/v2.8.0...v2.9.0
 [2.8.0]: https://github.com/pypa/pip-audit/compare/v2.7.3...v2.8.0
 [2.7.3]: https://github.com/pypa/pip-audit/compare/v2.7.2...v2.7.3

README.md

@@ -108,7 +108,7 @@ For example, using `pip-audit` via `pre-commit` to audit a requirements file:
 
 ```yaml
   - repo: https://github.com/pypa/pip-audit
-    rev: v2.9.0
+    rev: v2.10.0
     hooks:
       -   id: pip-audit
           args: ["-r", "requirements.txt"]
@@ -148,7 +148,7 @@ positional arguments:
   project_path          audit a local Python project at the given path
                         (default: None)
 
-optional arguments:
+options:
   -h, --help            show this help message and exit
   -V, --version         show program's version number and exit
   -l, --local           show only results for dependencies in the local

pip_audit/__init__.py

@@ -2,4 +2,4 @@
 The `pip_audit` APIs.
 """
 
-__version__ = "2.9.0"
+__version__ = "2.10.0"