[Tidy] Remove snyk, gitleaks and package-lock.json (#635)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
mckinsey · Aug 23, 2024 · 369af7c · 369af7c
1 parent db8b41f
commit 369af7c
Show file tree

Hide file tree

Showing 12 changed files with 98 additions and 5,076 deletions.
diff --git a/.github/workflows/checks-vizro-ai.yml b/.github/workflows/checks-vizro-ai.yml
@@ -41,9 +41,6 @@ jobs:
       - name: List dependencies
         run: hatch run all.py${{ env.PYTHON_VERSION }}:pip freeze
 
-      - name: Check requirements for Snyk are up to date
-        run: hatch run all.py${{ env.PYTHON_VERSION }}:update-snyk-requirements --check
-
       - name: Find changed files to see if changelog fragment needed
         id: changed-files
         if: ${{ github.event_name == 'pull_request' }}

diff --git a/.github/workflows/checks-vizro-core.yml b/.github/workflows/checks-vizro-core.yml
@@ -44,9 +44,6 @@ jobs:
       - name: Check schema is up to date
         run: hatch run all.py${{ env.PYTHON_VERSION }}:schema --check
 
-      - name: Check requirements for Snyk are up to date
-        run: hatch run all.py${{ env.PYTHON_VERSION }}:update-snyk-requirements --check
-
       - name: Find changed files to see if changelog fragment needed
         id: changed-files
         if: ${{ github.event_name == 'pull_request' }}

diff --git a/.vale/styles/Microsoft/ignore.txt b/.vale/styles/Microsoft/ignore.txt
@@ -64,7 +64,6 @@ css
 dataframes
 Javascript
 tooltip
-Snyk
 Codespaces
 dev
 mypy

diff --git a/tools/generate_snyk_requirements.py b/tools/generate_snyk_requirements.py
diff --git a/vizro-ai/changelog.d/20240819_173852_antony.milne_remove_snyk_etc.md b/vizro-ai/changelog.d/20240819_173852_antony.milne_remove_snyk_etc.md
@@ -0,0 +1,48 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+-->
+
+<!--
+### Highlights ✨
+
+- A bullet item for the Highlights ✨ category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Removed
+
+- A bullet item for the Removed category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Added
+
+- A bullet item for the Added category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Changed
+
+- A bullet item for the Changed category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Fixed
+
+- A bullet item for the Fixed category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Security
+
+- A bullet item for the Security category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
diff --git a/vizro-ai/hatch.toml b/vizro-ai/hatch.toml
@@ -48,7 +48,6 @@ test-unit-coverage = [
   "- coverage combine",
   "coverage report"
 ]
-update-snyk-requirements = "python ../tools/generate_snyk_requirements.py {args}"
 
 [envs.docs]
 dependencies = [

diff --git a/vizro-ai/pyproject.toml b/vizro-ai/pyproject.toml
@@ -21,10 +21,7 @@ dependencies = [
   "langchain-openai",
   "langgraph>=0.1.2",
   "python-dotenv>=1.0.0",  # TODO decide env var management to see if we need this
-  "vizro>=0.1.20",
-  "ipython>=8.10.0",  # not directly required, pinned by Snyk to avoid a vulnerability: https://app.snyk.io/vuln/SNYK-PYTHON-IPYTHON-3318382
-  "aiohttp>=3.9.2",  # not directly required, pinned by Snyk to avoid a vulnerability: https://security.snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6209407
-  "langchain-core>=0.1.31"  # not directly required, pinned by Snyk to avoid a vulnerability: https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAINCORE-6370598
+  "vizro>=0.1.20"
 ]
 description = "Vizro-AI is a tool for generating data visualizations"
 dynamic = ["version"]

diff --git a/vizro-core/changelog.d/20240819_173836_antony.milne_remove_snyk_etc.md b/vizro-core/changelog.d/20240819_173836_antony.milne_remove_snyk_etc.md
@@ -0,0 +1,48 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+-->
+
+<!--
+### Highlights ✨
+
+- A bullet item for the Highlights ✨ category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Removed
+
+- A bullet item for the Removed category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Added
+
+- A bullet item for the Added category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Changed
+
+- A bullet item for the Changed category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Fixed
+
+- A bullet item for the Fixed category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
+<!--
+### Security
+
+- A bullet item for the Security category with a link to the relevant PR at the end of your entry, e.g. Enable feature XXX ([#1](https://github.com/mckinsey/vizro/pull/1))
+
+-->
diff --git a/vizro-core/docs/pages/explanation/contributing.md b/vizro-core/docs/pages/explanation/contributing.md
@@ -130,21 +130,6 @@ We use [gitleaks](https://github.com/gitleaks/gitleaks) for secret scanning. We
 
 When executing the secret scan, there are two modes: `protect` can discover secrets in staged files, `detect` does so in the commit history.
 
-## Snyk and `requirements.txt`
-
-[Snyk](https://snyk.io/) is used to scan for vulnerabilities in dependencies. This
-is done by scanning the `requirements.txt` file. As Hatch manages the dependencies by
-`pyproject.toml`, we need to convert the dependencies to `requirements.txt` before Snyk
-can scan them. This is done by running `hatch run update-snyk-requirements`. The outputs are
-written to `snyk/requirements.txt`, which can be used by Snyk to scan for vulnerabilities.
-
-We also validate whether the dependencies in `requirements.txt` are up-to-date. This
-is done in CI.
-
-Note that `requirements.txt` is not used by Hatch, and so it should not be edited
-manually for dependency management. Instead, edit `pyproject.toml` or `hatch.toml` when
-adding or removing dependencies.
-
 ## Changelog
 
 Vizro keeps a changelog, where all notable changes to the project will be documented. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

diff --git a/vizro-core/hatch.toml b/vizro-core/hatch.toml
@@ -57,7 +57,6 @@ test-unit-coverage = [
   "- coverage combine",
   "coverage report"
 ]
-update-snyk-requirements = "python ../tools/generate_snyk_requirements.py {args}"
 
 [envs.docs]
 dependencies = [
-Original file line number
+Diff line change
@@ Expand Up / @@ -64,7 +64,6 @@ css @@
     dataframes
     Javascript
     tooltip
-    Snyk
     Codespaces
     dev
     mypy
@@ Expand Down @@