Skip to content

build: move to PEP 621 project #5379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

build: move to PEP 621 project #5379

wants to merge 14 commits into from
+324 −456

Conversation

Molkree
Copy link
Contributor

@Molkree Molkree commented Oct 5, 2025
edited
Loading

fixes #1595

TODO list for this PR

  • [ ] Move doc dependencies to dependency-group: let's make it simple and keep out of the scope of this PR. Simply moving dependencies to the main project.toml might be a bad idea because they conflict with Python version specified in it. Namely our doc dependency Sphinx==8.2.3 requires Python>=3.11 but cve-bin-tool itself only requires >=3.9. This results in unresolvable dependencies. In practice docs are completely separate project, we can add pyproject.toml for docs only later on. 
    [dependency-groups]
doc = ["doc-dep1", "doc-dep2"]
  • update test/test_requirements.py, it expects requirements.txt to be present
  • [ ] update how we generate requirements.csv as far as I understand, these are handcrafted, please correct me if I'm wrong

@Molkree Molkree force-pushed the build/pyproject-toml-config branch 3 times, most recently from 38049df to fbc4a02 Compare October 5, 2025 15:03
@Molkree Molkree force-pushed the build/pyproject-toml-config branch from fbc4a02 to da38201 Compare October 5, 2025 15:05
@terriko
Copy link
Contributor

terriko commented Oct 13, 2025

Thanks for working on this! I don't have any brain power to give it this week (this is probably the only day i'm going to do any PR review) but hopefully one of the other maintainers can step in. I've at least set the checks to run for now.

@Molkree
Copy link
Contributor Author

Molkree commented Oct 14, 2025

I have replaced toml dependency with tomli
toml is abandonded, it hasn't seen any releases since 2020
tomli is a community recognized replacement.
Note that this is only required for Python<3.11 (3.9 and 3.10 at the time of writing, and 3.9 will be hopefully dropped next month as well).
Change is required to update one test to read project dependencies from pyproject.toml. toml is so old it can't read our (valid) pyproject.toml.

We also used toml to read cve-bin-tool config, so updating our dependency to something working will benefit there as well.

I understand that this will probably slow down approval of this PR but it's a net positive (for ~1 year until 3.10 goes out of support).
tomli is already used by numerous dev tools in our dependency tree but I don't think it will help with acceptance much because it was always optional and not included in SBOM.

@Molkree
Copy link
Contributor Author

Molkree commented Oct 14, 2025

Hm, I'm really not sure why Linux Tests (3.9) failed while building wheel 🤔
I can build it just fine locally with Python 3.9 and it succeeded in my repository.

@terriko, can you rerun the tests? I think I'm finished with this PR

@Molkree Molkree marked this pull request as ready for review October 14, 2025 14:21
@Copilot Copilot AI review requested due to automatic review settings October 14, 2025 14:21
Copilot
Copilot AI reviewed Oct 14, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Move the project metadata and configuration to PEP 621 in pyproject.toml, remove legacy setup tooling, and update tests, docs, and CI to align with the new structure.

  • Adopt PEP 621: add project metadata, dependencies, scripts, and tool configs to pyproject.toml.
  • Remove legacy files (setup.py, dev-requirements.txt, bandit.conf, .coveragerc, .mypy.ini) and update CI/docs accordingly.
  • Update tests to read dependencies from pyproject.toml and modernize context manager syntax.

Reviewed Changes

Copilot reviewed 24 out of 25 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
pyproject.toml New single source of truth for project metadata, dependencies, and tool configs.
test/test_requirements.py Read dependencies from pyproject.toml; refactor helpers; add guards and typing.
test/test_package_list_parser.py Grouped context managers using parentheses for readability.
test/test_output_engine.py Grouped patches with parentheses for readability.
test/test_extractor.py Grouped patches with parentheses for readability.
CONTRIBUTING.md Update install instructions and Bandit usage to reflect pyproject.toml.
.pre-commit-config.yaml Point Bandit to pyproject.toml and ensure bandit[toml] is available.
.github/workflows/* Replace requirements.txt references with pyproject.toml and install extras via .[dev].
doc/how_to_guides/* Update cache keys from requirements.txt to pyproject.toml.
setup.py, dev-requirements.txt, bandit.conf, .coveragerc, .mypy.ini Removed legacy files no longer needed with PEP 621.
MANIFEST.in Drop requirements.txt from sdist since dependencies are now in pyproject.toml.
cve_bin_tool/config.py Switch to tomllib/tomli consistently and simplify TOML loading.
Comments suppressed due to low confidence (1)

test/test_requirements.py:118

  • String identity comparison is used here; use equality instead. Replace is with == to ensure correct behavior when file is a distinct but equal string.
            if file is HTML_DEP_CSV:

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@Molkree
fix: remove all mentions of (dev-)requirements.txt
85be93a
@Molkree
refactor: format all code with Black
4a92dda 
Black config was not changed but we have different result compared to main branch
this is because Black determines supported Python versions from pyproject.toml
in absence of the `requires-python` section it is determined on the per file basis
now that we have full-fledged pyproject.toml Black follows our config more strictly
@Molkree
ci: remove syncing of pre-commit and dev-dependencies
28eecc2 
now that dev-dependencies were moved to pyproject.toml our old script would no longer work
dropping this means that there might be some short period of time when pre-commit config will be ahead of pyproject.toml but this shouldn't be a big deal
we could rewrite it to update new location but because we now have Dependabot enabled pyproject.toml should stay updated through Dependabot
@Molkree
refactor: add type hints in test_requirements.py
b9b5165
@Molkree
refactor: refactor package reading in test_requirements.py
7420e6f
@Molkree
build(deps): replace toml with tomli
0b5266b 
toml library is abandoned, last release was in 2020
tomli library is the community recognized replacement

change required because toml can't parse our pyproject.toml
@Molkree
test: read dependencies from pyproject.toml in test_requirements.py
7f22d99
@Molkree
docs: update language in test_requirements.py
6e88a7b
@Molkree Molkree force-pushed the build/pyproject-toml-config branch from 02ef0eb to 6e88a7b Compare October 14, 2025 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Moving from setup.py to pyproject.toml

2 participants

@Molkree @terriko