Remove running pip-audit from CI.

Julian · Julian · commit cebe4c7a3719 · 2025-10-24T16:18:34.000-04:00
pip has had a recent CVE, and as a library (and not
an app) it is difficult to run pip-audit in a way that
has value but is segregated from pip-audit's own deps
such that we don't encounter this kind of false positive.

Downstream applications should themselves run pip-audit
as it is more suited for being run by applications rather
than libraries.
diff --git a/noxfile.py b/noxfile.py
@@ -97,23 +97,6 @@ def tests(session, installable):
         session.run("virtue", *session.posargs, PACKAGE, env=env)
 
 
-@session()
-@nox.parametrize("installable", INSTALLABLE)
-def audit(session, installable):
-    """
-    Audit dependencies for vulnerabilities.
-    """
-    session.install("pip-audit", installable)
-    session.run(
-        "python",
-        "-m",
-        "pip_audit",
-        "--ignore-vuln",
-        "GHSA-4xh5-x5gv-qwph",  # pip vuln, not relevant, but we need to figure
-                                # out how to properly run pip-audit
-    )
-
-
 @session()
 def license_check(session):
     """
