📝 Switch from uv-secure to uv audit'

Author: veit

docs/productive/security.rst

@@ -29,26 +29,37 @@ This check determines whether the project has open, unfixed vulnerabilities in
 its own code base or in its dependencies. An open vulnerability can be easily
 exploited and should be closed as soon as possible.
 
-For such a check, you can use for example `uv-secure
-<https://pypi.org/project/uv-secure/>`_. Alternatively, you can use `osv
-<https://pypi.org/project/osv/>`_ or `pip-audit
-<https://pypi.org/project/pip-audit/>`_, which uses the `Open Source
+For such a check, you can use for example `uv audit <uv-audit>`. Alternatively,
+you can use `osv <https://pypi.org/project/osv/>`_ or `pip-audit
+<https://pypi.org/project/pip-audit/>`_.They usually refer to the `Open Source
 Vulnerability Database <https://osv.dev>`_.
 
 If a vulnerability is found in a dependency, you should update to a
 non-vulnerable version; if no update is available, you should consider removing
 the dependency.
 
-If you believe that the vulnerability does not affect your project, an
-:file:`osv-scanner.toml` file can be created for ``osv``, including the ID to
-ignore and a reason, for example:
+If you believe that the security vulnerability does not affect your project, you
+can define exceptions for ``uv audit`` in the :file:`pyproject.toml` file, for
+example:
 
 .. code-block:: toml
+   :caption: pyproject.toml
 
-   [[IgnoredVulns]]
-   id = "GO-2022-1059"
-   # ignoreUntil = 2022-11-09 # Optional exception expiry date
-   reason = "No external http servers are written in Go lang."
+   [tool.uv.audit]
+   ignore = ["PYSEC-2022-43017", "GHSA-5239-wwwm-4pmq"]
+
+or better still:
+
+.. code-block:: toml
+   :caption: pyproject.toml
+
+   [tool.uv.audit]
+   ignore-until-fixed = ["PYSEC-2022-43017"]
+
+.. seealso::
+   * `ignore <https://docs.astral.sh/uv/reference/settings/#audit_ignore>`_
+   * `ignore-until-fixed
+     <https://docs.astral.sh/uv/reference/settings/#audit_ignore-until-fixed>`_
 
 Maintenance
 -----------