pip-audit
A tool for scanning Python environments for known vulnerabilities
Why this rank:Strong adoptionRelease freshnessHealthy release cadence
Description
pip-audit ========= <!--- BADGES: START ---> [](https://github.com/pypa/pip-audit/actions/workflows/ci.yml) [](https://pypi.org/project/pip-audit) [](https://repology.org/project/python:pip-audit/versions) [](https://api.securityscorecards.dev/projects/github.com/pypa/pip-audit) [](https://github.com/pypa/pip-audit/blob/main/LICENSE) <!--- BADGES: END ---> `pip-audit` is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database (https://github.com/pypa/advisory-database) via the [PyPI JSON API](https://warehouse.pypa.io/api-reference/json.html) as a source of vulnerability reports. This project is maintained in part by [Trail of Bits](https://www.trailofbits.com/) with support from Google. This is not an official Google or Trail of Bits product. ## Index * [Features](#features) * [Installation](#installation) * [Third-party packages](#third-party-packages) * [GitHub Actions](#github-actions) * [`pre-commit` support](#pre-commit-support) * [Usage](#usage) * [Environment variables](#environment-variables) * [Exit codes](#exit-codes) * [Dry runs](#dry-runs) * [Examples](#examples) * [Troubleshooting](#troubleshooting) * [Tips and Tricks](#tips-and-tricks) * [Security model](#security-model) * [Licensing](#licensing) * [Contributing](#contributing) * [Code of Conduct](#code-of-conduct) ## Features * Support for auditing local environments and requirements-style files * Support for multiple vulnerability services ([PyPI](https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities), [OSV](https://osv.dev/docs/)) * Support for emitting [SBOMs](https://en.wikipedia.org/wiki/Software_bill_of_materials) in [CycloneDX](https://cyclonedx.org/) XML or JSON * Support for automatically fixing vulnerable dependencies (`--fix`) * Human and machine-readable output formats (columnar, Markdown, JSON) * Seamlessly reuses your existing local `pip` caches ## Installation `pip-audit` requires Python 3.9 or newer, and can be installed directly via `pip`: ```bash python -m pip install pip-audit ``` ### Third-party packages There are multiple **third-party** packages for `pip-audit`. The matrices and badges below list some of them: [](https://repology.org/project/python:pip-audit/versions) [](https://repology.org/project/pip-audit/versions) [][#conda-forge-package] [][#conda-forge-package] [#conda-forge-package]: https://anaconda.org/conda-forge/pip-audit In particular, `pip-audit` can be installed via `conda`: ```bash conda install -c conda-forge pip-audit ``` Third-party packages are **not** directly supported by this project. Please consult your package manager's documentation for more detailed installation guidance. ### GitHub Actions `pip-audit` has [an official GitHub Action](https://github.com/pypa/gh-action-pip-audit)! You can install it from the [GitHub Marketplace](https://github.com/marketplace/actions/gh-action-pip-audit), or add it to your CI manually: ```yaml jobs: pip-audit: steps: - uses: pypa/gh-action-pip-audit@v1.0.0 with: inputs: requirements.txt ``` See the [action documentation](https://github.com/pypa/gh-action-pip-audit/blob/main/README.md) for more details and usage examples. ### `pre-commit` support `pip-audit` has [`pre-commit`](https://pre-commit.com/) support. For example, using `pip-audit` via `pre-commit` to audit a requirements file: ```yaml - repo: https://github.com/pypa/pip-audit rev: v2.10.0 hooks: - id: pip-audit args: ["-r", "requirements.txt"] ci: # Leave pip-audit to only run locally and not in CI # pre-commit.ci does not allow network calls skip: [pip-audit] ``` Any `pip-audit` arguments documented below can be passed. ## Usage You can run `pip-audit` as a standalone program, or via `python -m`: ```bash pip-audit --help python -m pip_audit --help ``` <!-- @begin-pip-audit-help@ --> ``` usage: pip-audit [-h] [-V] [-l] [-r REQUIREMENT] [--locked] [-f FORMAT] [-s SERVICE] [--osv-url OSV_URL] [-d] [-S] [--desc [{on,off,auto}]] [--aliases [{on,off,auto}]] [--cache-dir CACHE_DIR] [--progress-spinner {on,off}] [--ti
Release History
| Version | Changes | Urgency | Date |
|---|---|---|---|
| 2.10.0 | Imported from PyPI (2.10.0) | Low | 4/21/2026 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.9.0 | ### Added * `pip-audit` now supports [PEP 751](https://peps.python.org/pep-0751/) lockfiles. These lockfiles can be audited in "project" mode by passing `--locked` to `pip-audit` ([#888](https://github.com/pypa/pip-audit/pull/888)) | Low | 4/7/2025 |
| v2.8.0 | ### Added * `pip-audit` now allows some CLI flags to be configured via environment variables ([#755](https://github.com/pypa/pip-audit/pull/755)) ### Changed * The default cache locations on macOS and Linux now respect each platform's caching directory idioms (e.g. XDG) ([#814](https://github.com/pypa/pip-audit/pull/814)) * The minimum version of Python is now 3.9 ([#846](https://github.com/pypa/pip-audit/pull/846)) | Low | 2/6/2025 |
| v2.7.3 | ### Fixed * Improved handling of temporary files on Windows ([#757](https://github.com/pypa/pip-audit/pull/757)) * Fixed a subprocess deadlock on Windows ([#756](https://github.com/pypa/pip-audit/pull/756)) | Low | 4/30/2024 |
| v2.7.2 | ### Fixed * `pip-audit` now invokes `pip` with `--keyring-provider=subprocess`, partially fixing a regression that was introduced with another authentication fix in 2.6.2. This allows the interior `pip` to use `keyring` to perform third-party index authentication. **Full Changelog**: https://github.com/pypa/pip-audit/compare/v2.7.1...v2.7.2 | Low | 2/29/2024 |
| v2.7.1 | ### Fixed * Improved the error returned to users when their default temporary directory lacks execute permissions ([#737](https://github.com/pypa/pip-audit/pull/737)) | Low | 2/12/2024 |
| v2.7.0 | ### Added * `pip-audit` now includes vulnerability aliases when `--format=json` is used, and also includes them in other output formats if specified by adding the flag `--aliases` | Low | 1/11/2024 |
| v2.6.3 | ### Fixed * Removed a misleading warning message that resulted in user confusion ([#719](https://github.com/pypa/pip-audit/pull/719)) | Low | 1/8/2024 |
| v2.6.2 | ### Changed * `pip-audit`'s minimum Python version is now 3.8. ### Fixed * Fixed a hang caused by auditing requirements when resolving against an index that requires authentication, causing `pip` to wait indefinitely for credentials ([#707](https://github.com/pypa/pip-audit/pull/707)) | Low | 12/19/2023 |
| v2.6.1 | ### Fixed * Fixed a crash on Windows caused by `pip-audit`'s use of temporary files ([#647](https://github.com/pypa/pip-audit/pull/647)) | Low | 7/24/2023 |
| v2.6.0 | ### Added * Added option to skip dependency resolution via `pip` with the `--disable-pip` flag. This option can only be used with hashed requirements files or when the `--no-deps` flag has been provided ([#610](https://github.com/pypa/pip-audit/pull/610)) | Low | 7/2/2023 |
| v2.5.6 | ### Fixed * Fixed a crash caused by incompatible dependency changes ([#617](https://github.com/pypa/pip-audit/pull/617)) | Low | 5/23/2023 |
| v2.5.5 | ### Fixed * Fixed a crash caused by incompatible dependency changes ([#605](https://github.com/pypa/pip-audit/pull/605)) | Low | 5/4/2023 |
| v2.5.4 | ### Changed * Refactored `index-url` option to not override user pip config by default, unless specified ([#565](https://github.com/pypa/pip-audit/pull/565)) ### Fixed * Fixed bug with the `--fix` flag where new requirements were sometimes being appended to requirement files instead of patching the existing requirement ([#577](https://github.com/pypa/pip-audit/pull/577)) * Fixed a crash caused by auditing requirements files that refer to other requirements files ([#568](h | Low | 3/29/2023 |
| v2.5.3 | ### Changed * Further simplified `pip-audit`'s dependency resolution to remove inconsistent behaviour when using hashed requirements or the `--no-deps` flag ([#540](https://github.com/pypa/pip-audit/pull/540)) ### Fixed * Fixed a crash caused by invalid UTF-8 sequences in subprocess outputs ([#572](https://github.com/pypa/pip-audit/pull/572)) | Low | 3/23/2023 |
| v2.5.2 | ### Fixed * Fixed a loose dependency constraint for CycloneDX SBOM generation ([#558](https://github.com/pypa/pip-audit/pull/558)) | Low | 3/20/2023 |
| v2.5.1 | ### Fixed * Fixed a crash on Windows caused by multiple open file handles to input requirements ([#551](https://github.com/pypa/pip-audit/pull/551)) | Low | 3/17/2023 |
| v2.5.0 | ### Changed * Improved error messaging when a requirements input or indirect dependency has an invalid (non-PEP 440) requirements specifier ([#507](https://github.com/pypa/pip-audit/pull/507)) * `pip-audit`'s handling of dependency resolution has been significantly refactored and simplified ([#523](https://github.com/pypa/pip-audit/pull/523)) ### Fixed * Fixed a potential crash on invalid unicode in subprocess streams ([#536](https://github.com/pypa/pip-audit/pull/536)) | Low | 3/16/2023 |
| v2.4.15 | ### Fixed * Fixed an issue where hash checking would fail when using third-party indices ([#462](https://github.com/pypa/pip-audit/pull/462)) * Fixed the behavior of the `--skip-editable` flag, which had regressed with an internal API change ([#499](https://github.com/pypa/pip-audit/pull/499)) * Fixed a dependency resolution bug that can potentially be triggered when multiple packages have the same subdependency ([#488](https://github.com/pypa/pip-audit/pull/488)) | Low | 1/31/2023 |
| v2.4.14 | ### Fixed * Fixed a dependency resolution failure caused by incorrect handling of a PEP 440 edge case around prerelease versions ([#477](https://github.com/pypa/pip-audit/pull/477)) | Low | 1/20/2023 |
| v2.4.13 | ### Fixed * Added a lower bound on `packaging` to ensure that non-normalized versions are handled correctly ([#471](https://github.com/pypa/pip-audit/pull/471)) | Low | 1/10/2023 |
| v2.4.12 | ### Fixed * Fixed `pip-audit`'s virtual environment creation and upgrade behavior, preventing spurious vulnerability reports ([#454](https://github.com/pypa/pip-audit/pull/454)) * Users are now warned if a `pip-audit` invocation is ambiguous, e.g. if they've installed `pip-audit` globally but are asking for an audit of a loaded virtual environment ([#451](https://github.com/pypa/pip-audit/pull/451)) | Low | 12/29/2022 |
| v2.4.11 | ### Fixed * Fixed a crash triggered when a package specifies an invalid version specifier for its `requires-python` version ([#447](https://github.com/pypa/pip-audit/pull/447)) | Low | 12/28/2022 |
| v2.4.10 | ## [2.4.10] ### Fixed * Fixed a crash triggered when no vulnerabilities are found with some configurations ([#437](https://github.com/pypa/pip-audit/pull/437)) | Low | 12/15/2022 |
| v2.4.9 | ## [2.4.9] ### Fixed * The `--output` flag will no longer produce an empty file in the event of a failure within `pip-audit` itself, making it easier to distinguish between audit failures being reported by `pip-audit` and `pip-audit`'s own errors ([#432](https://github.com/pypa/pip-audit/pull/432)) * Removed pin on `packaging` now that our dependency pins it for us ([#429](https://github.com/pypa/pip-audit/pull/427)) | Low | 12/14/2022 |
| v2.4.8 | ## [2.4.8] ### Fixed * Pin maximum version of `packaging` dependency to avoid installing the new 22.0 version which is incompatible with `pip-requirements-parser` ([#427](https://github.com/pypa/pip-audit/pull/427)) | Low | 12/8/2022 |
| v2.4.7 | ### Fixed * Fixed a timestamp parsing bug that occurred with some vulnerability reports provided by the OSV service ([#416](https://github.com/pypa/pip-audit/issues/416)) | Low | 11/28/2022 |
| v2.4.6 | ### Fixed * Fixed an incorrect interaction between `--desc=auto` and `--format=json`; `--desc=auto` now includes the description in the generated JSON report, as intended ([#399](https://github.com/pypa/pip-audit/pull/399)) * Fixed a bug in dependency resolution with third-party indices where relative URLs were not resolved correctly ([#411](https://github.com/pypa/pip-audit/pull/411), [#412](https://github.com/pypa/pip-audit/pull/412)) | Low | 11/21/2022 |
| v2.4.5 | ### Fixed * Fixed an issue where audits done with the PyPI vulnerability service (the default) were not correctly filtered by "withdrawn" status; "withdrawn" vulnerabilities are now excluded ([#393](https://github.com/pypa/pip-audit/pull/393)) * Fixed an issue where audits done with the OSV vulnerability service (`-s osv`) were not correctly filtered by "withdrawn" status; "withdrawn" vulnerabilities are now excluded ([#386](https://github.com/pypa/pip-audit/pull/386)) * | Low | 10/31/2022 |
| v2.4.4 | ### Changed * `pip-audit` is now a PyPA member project, and lives under [`pypa/pip-audit`](https://github.com/pypa/pip-audit)! * Improved error message for when unpinned URL requirements are found during an audit with the `--no-deps` flag ([#355](https://github.com/pypa/pip-audit/pull/355)) ### Fixed * Fixed an issue where packages on PyPI with no published versions trigger a dependency resolution failure instead of being skipped ([#357](https://github.com/pypa/pip-aud | Low | 9/1/2022 |
| v2.4.3 | ## Fixed * Fixed a regression in requirements auditing that was introduced during the move from pip-api to pip-requirements-parser where editable installs without an egg fragment would cause audits to crash (https://github.com/trailofbits/pip-audit/pull/331) | Low | 7/25/2022 |
| v2.4.2 | ### Fixed * CLI: the --format=markdown and --format=columns output formats are no longer broken by long vulnerability descriptions from the OSV and PyPI vulnerability sources (https://github.com/trailofbits/pip-audit/pull/323) | Low | 7/21/2022 |
| v2.4.1 | ## [2.4.1] ### Fixed * Fixed a breakage in hash-checking mode caused by a [change to the PyPI JSON API](https://discuss.python.org/t/backwards-incompatible-change-to-pypi-json-api/17154) ([#318](https://github.com/trailofbits/pip-audit/pull/318)) | Low | 7/7/2022 |
| v2.4.0 | ## [2.4.0] ### Added * Output formats: `pip-audit` now supports a Markdown format (`--format=markdown`) which renders results as a set of Markdown tables. ([#312](https://github.com/trailofbits/pip-audit/pull/312)) | Low | 6/30/2022 |
| v2.3.4 | Release v2.3.4 | Low | 6/24/2022 |
| v2.3.3 | ### Changed * CLI: `pip-audit` now warns on the combination of `-s osv` and `--require-hashes`, notifying users that only the PyPI service can fully verify hashes ([#298](https://github.com/trailofbits/pip-audit/pull/298)) ### Fixed * CLI/Dependency sources: `--cache-dir=...` and other flags that affect dependency resolver behavior now work correctly when auditing a `pyproject.toml` dependency source ([#300](https://github.com/trailofbits/pip-audit/pull/300)) | Low | 6/15/2022 |
| v2.3.2 | ### Changed * CLI: `pip-audit`'s progress spinner has been refactored to make it faster and more responsive ([#283](https://github.com/trailofbits/pip-audit/pull/283)) * CLI, Vulnerability sources: the error message used to report connection failures to vulnerability sources was improved ([#287](https://github.com/trailofbits/pip-audit/pull/287)) * Vulnerability sources: the OSV service is now more resilient to schema changes ([#288](https://github.com/trailofbits/pip-aud | Low | 6/14/2022 |
| v2.3.1 | ## [2.3.1](https://github.com/trailofbits/pip-audit/compare/v2.3.0...v2.3.1) - 2022-05-24 ### Fixed * CLI: A bug causing the terminal's cursor to disappear on some versions of CPython was fixed (https://github.com/trailofbits/pip-audit/issues/280) | Low | 5/24/2022 |
| v2.3.0 | ## [2.3.0](https://github.com/trailofbits/pip-audit/compare/v2.2.1...v2.3.0) - 2022-05-18 ### Added CLI: The --ignore-vuln option has been added, allowing users to specify vulnerability IDs to ignore during the final report (https://github.com/trailofbits/pip-audit/pull/275) CLI: The --no-deps flag has been added, allowing users to skip dependency resolution entirely when pip-audit is used in requirements mode (https://github.com/trailofbits/pip-audit/pull/255) | Low | 5/18/2022 |
| v2.2.1 | Release v2.2.1 | Low | 5/2/2022 |
| v2.2.0 | ## 2.2.0 - 2022-05-02 ### Added * CLI: The `--output` option has been added, allowing users to specify a file to write output to. The default behavior of writing to `stdout` is unchanged ([#262](https://github.com/trailofbits/pip-audit/pull/262)) ### Fixed * Vulnerability sources: A bug caused by insufficient version normalization was fixed ([#263](https://github.com/trailofbits/pip-audit/pull/263)) | Low | 5/2/2022 |
| v2.1.1 | [2.1.1](https://github.com/trailofbits/pip-audit/compare/v2.1.0...v2.1.1)[](https://github.com/trailofbits/pip-audit/blob/main/CHANGELOG.md#fixed) - 2022-03-29 Fixed * Dependency sources: A bug caused by ambiguous parses of source distribution files was fixed ([#249](https://github.com/trailofbits/pip-audit/pull/249)) [2.1.1]: https://github.com/trailofbits/pip-audit/compare/v2.1.0...v2.1.1 | Low | 3/29/2022 |
| v2.1.0 | [2.1.0](https://github.com/trailofbits/pip-audit/compare/v2.0.0...v2.1.0)[](https://github.com/trailofbits/pip-audit/blob/main/CHANGELOG.md#added) - 2022-03-11 Added * CLI: The --skip-editable flag has been added, allowing users to skip local packages or parsed requirements (via -r) that are marked as editable (https://github.com/trailofbits/pip-audit/pull/244) * CLI: pip-audit can audit projects that list their dependencies in pyproject.toml files, via `pip-audit <dir>` (https://github | Low | 3/11/2022 |
| v2.0.0 | [2.0.0](https://github.com/trailofbits/pip-audit/compare/v1.1.2...v2.0.0)[](https://github.com/trailofbits/pip-audit/blob/main/CHANGELOG.md#added) - 2022-02-18 Added * CLI: The --fix flag has been added, allowing users to attempt to automatically upgrade any vulnerable dependencies to the first safe version available ([#212](https://github.com/trailofbits/pip-audit/pull/212), [#222](https://github.com/trailofbits/pip-audit/pull/222)) * CLI: The combination of --fix and --dry-run is now su | Low | 2/18/2022 |
| v1.1.2 | Release v1.1.2 | Low | 1/13/2022 |
| v1.1.1 | Release v1.1.1 | Low | 12/7/2021 |
| v1.1.0 | Release v1.1.0 | Low | 12/6/2021 |
| v1.0.1 | Release v1.0.1 | Low | 12/2/2021 |
| v1.0.0 | Release v1.0.0 | Low | 12/1/2021 |
| v0.0.9 | Release v0.0.9 | Low | 12/1/2021 |
Dependencies & License Audit
Loading dependencies...
Similar Packages
More in Frameworks
langchainThe agent engineering platform
deer-flowAn open-source long-horizon SuperAgent harness that researches, codes, and creates. With the help of sandboxes, memories, tools, skill, subagents and message gateway, it handles different levels of ta
tqdmFast, Extensible Progress Meter
simBuild, deploy, and orchestrate AI agents. Sim is the central intelligence layer for your AI workforce.