bump safety and pre-commit versions to resolve CVEs

.github/workflows/ci.yaml

@@ -37,7 +37,7 @@ jobs:
           uv run mypy .
       - name: Check for vulnerable libraries with safety
         run: |
-          uv run safety check
+          uv run safety --key ${{ secrets.SAFETY_API_KEY }} scan
       - name: Test with pytest
         run: uv run pytest --cov=./ --cov-report=xml tests
       - name: Upload coverage

.safety-policy.yml

@@ -1,98 +1,52 @@
-# Safety Security and License Configuration file
-# We recommend checking this file into your source control in the root of your Python project
-# If this file is named .safety-policy.yml and is in the same directory where you run `safety check` it will be used by default.
-# Otherwise, you can use the flag `safety check --policy-file <path-to-this-file>` to specify a custom location and name for the file.
-# To validate and review your policy file, run the validate command: `safety validate policy_file --path <path-to-this-file>`
-security: # configuration for the `safety check` command
-  ignore-cvss-severity-below: 4 # A severity number between 0 and 10. Some helpful reference points: 9=ignore all vulnerabilities except CRITICAL severity. 7=ignore all vulnerabilities except CRITICAL & HIGH severity. 4=ignore all vulnerabilities except CRITICAL, HIGH & MEDIUM severity.
-  ignore-cvss-unknown-severity: False # True or False. We recommend you set this to False.
-  ignore-vulnerabilities: # Here you can list multiple specific vulnerabilities you want to ignore (optionally for a time period)
-    # We recommend making use of the optional `reason` and `expires` keys for each vulnerability that you ignore.
-    59399: # Vulnerability ID
-      reason: the scipy developers identified its CVE classification as unwarranted # optional, for internal note purposes to communicate with your team. This reason will be reported in the Safety reports
-      # this exception can be removed when Python 3.8 is not supported
-      # expires: '2022-10-21' # datetime string - date this ignore will expire, best practice to use this variable
-    65212: # Vulnerability ID
-      reason: this is for a crypto error that is not relevant to us functionally, and only happens on PowerPCs.
-
-    67599:
-      reason: this only affects the --extra-index-url option in pip which we don't currently use. It is also intended behavior and is up to the user to operate --extra-index-url safely.
-    70612:
-      reason: we're only using jinja on the client side to template notebooks
-    71064:
-      reason: the CVE-2024-35195 vulnerability affects the use of "verify=False" in requests, but our project does not use this parameter in any API calls, so this risk can be ignored. If this version fixes our bug, we will find another solution.
-    73725:
-      reason: We aren't using starlette directly. It is pulled in as a transitive dependency from the Modal SDK
-    75976:
-      reason: the vulnerability only affects dynamic jinja2 templates, which we don't use
-    80876:
-      reason: not an issue for us
-
-  continue-on-vulnerability-error: False # Suppress non-zero exit codes when vulnerabilities are found. Enable this in pipelines and CI/CD processes if you want to pass builds that have vulnerabilities. We recommend you set this to False.
-alert: # configuration for the `safety alert` command
-  security:
-    # Configuration specific to Safety's GitHub Issue alerting
-    github-issue:
-      # Same as for security - these allow controlling if this alert will fire based
-      # on severity information.
-      # default: not set
-      # ignore-cvss-severity-below: 6
-      # ignore-cvss-unknown-severity: False
-
-      # Add a label to pull requests with the cvss severity, if available
-      # default: true
-      # label-severity: True
-
-      # Add a label to pull requests, default is 'security'
-      # requires private repo permissions, even on public repos
-      # default: security
-      # labels:
-      #  - security
-
-      # Assign users to pull requests, default is not set
-      # requires private repo permissions, even on public repos
-      # default: empty
-      # assignees:
-      #  - example-user
-
-      # Prefix to give issues when creating them. Note that changing
-      # this might cause duplicate issues to be created.
-      # default: "[PyUp] "
-      # issue-prefix: "[PyUp] "
-
-    # Configuration specific to Safety's GitHub PR alerting
-    github-pr:
-      # Same as for security - these allow controlling if this alert will fire based
-      # on severity information.
-      # default: not set
-      # ignore-cvss-severity-below: 6
-      # ignore-cvss-unknown-severity: False
-
-      # Set the default branch (ie, main, master)
-      # default: empty, the default branch on GitHub
-      branch: ""
-
-      # Add a label to pull requests with the cvss severity, if available
-      # default: true
-      # label-severity: True
-
-      # Add a label to pull requests, default is 'security'
-      # requires private repo permissions, even on public repos
-      # default: security
-      # labels:
-      #  - security
-
-      # Assign users to pull requests, default is not set
-      # requires private repo permissions, even on public repos
-      # default: empty
-      # assignees:
-      #  - example-user
-
-      # Configure the branch prefix for PRs created by this alert.
-      # NB: Changing this will likely cause duplicate PRs.
-      # default: pyup/
-      branch-prefix: pyup/
-
-      # Set a global prefix for PRs
-      # default: "[PyUp] "
-      pr-prefix: "[PyUp] "
+version: '3.0'
+
+report:
+  dependency-vulnerabilities:
+    enabled: true
+    auto-ignore-in-report:
+      python:
+        environment-results: true
+        unpinned-requirements: true
+      vulnerabilities:
+        59399:
+          reason: the scipy developers identified its CVE classification as unwarranted
+          expires: "2030-01-01"
+        65212:
+          reason: this is for a crypto error that is not relevant to us functionally, and only happens on PowerPCs.
+          expires: "2030-01-01"
+        67599:
+          reason: this only affects the --extra-index-url option in pip which we don't currently use. It is also intended behavior and is up to the user to operate --extra-index-url safely.
+          expires: "2030-01-01"
+        70612:
+          reason: we're only using jinja on the client side to template notebooks
+          expires: "2030-01-01"
+        71064:
+          reason: the CVE-2024-35195 vulnerability affects the use of "verify=False" in requests, but our project does not use this parameter in any API calls, so this risk can be ignored. If this version fixes our bug, we will find another solution.
+          expires: "2030-01-01"
+        73725:
+          reason: We aren't using starlette directly. It is pulled in as a transitive dependency from the Modal SDK
+          expires: "2030-01-01"
+        75976:
+          reason: the vulnerability only affects dynamic jinja2 templates, which we don't use
+          expires: "2030-01-01"
+        80876:
+          reason: not an issue for us
+          expires: "2030-01-01"
+        84961:
+          reason: This was caused by setuptools vendoring an old version of wheel. We have upgraded safety and removed the setuptools pin.
+          expires: "2030-01-01"
+        76170:
+          reason: Cryptography/OpenSSL static link issue, controlled environment
+          expires: "2030-01-01"
+        86217:
+          reason: Cryptography prime-order subgroup validation, low risk for our use case
+          expires: "2030-01-01"
+
+fail-scan-with-exit-code:
+  dependency-vulnerabilities:
+    enabled: true
+    fail-on-any-of:
+      cvss-severity:
+        - critical
+        - high
+        - medium

pyproject.toml

@@ -60,7 +60,7 @@ mcp = ["mcp>=1.0.0", "uv>=0.8.0"]
 
 [dependency-groups]
 develop = [
-    "pre-commit>=3.1.1,<4.0.0",
+    "pre-commit>=4.0.0",
     "ruff>=0.6.9,<1.0.0",
     "mkdocs>=1.4.3,<2.0.0",
     "mkdocs-callouts>=1.9.0,<2.0.0",
@@ -77,7 +77,7 @@ develop = [
     "pandas==2.0.3; python_version<'3.9'",
     "pandas>=2.0.0,<3.0.0; python_version>='3.9'",
     "types-requests>=2.20.0,<3.0.0",
-    "safety>=2.3.1,<3.0.0",
+    "safety>=3.0.0",
     "types-pyyaml>=6.0.12.8,<7.0.0",
     "coverage[toml]>=7.2.3,<8.0.0",
     "faker>=26.1.0,<27.0.0",