Hello packaging folks!
I’m pleased to announce that we’ve just released pip-audit v2.9.0.
This release brings only one change, but it’s one I’m excited about: lockfile support, via PEP 751!
TL;DR: You can use pip-audit with the new --locked flag. When you pass --locked, pip-audit will audit pylock.*.toml files in the directory being audited (instead of pyproject.toml, which remains the default). For example:
$ # audit lockfiles in the current directory
$ pip-audit --locked .
$ # audit lockfiles in some other directory
$ pip-audit --locked deps/
$ # default behavior: audit pyproject.toml in the given directory
$ pip-audit .
Many thanks to @brettcannon for his hard work on the PEP, as well as for including example lockfiles – they proved invaluable in testing our (bare bones) implementation.