fix(ci): audit only package deps in isolated venv

Patel230 · Patel230 · commit f96c8f2d2d3c · 2026-06-02T11:36:32.000+05:30
diff --git a/.gitignore b/.gitignore
@@ -15,6 +15,7 @@ MANIFEST
 
 # Virtual environments
 .venv/
+.venv-audit/
 venv/
 env/
 ENV/
diff --git a/Makefile b/Makefile
@@ -69,9 +69,14 @@ lint: ## Lint with ruff.
 lint-fix: ## Lint with ruff --fix.
 	$(PYTHON) -m ruff check --fix .
 
-security: ## Run pip-audit on resolved dependencies.
+security: ## Run pip-audit on this package's dependencies only (isolated venv).
 	@command -v pip-audit >/dev/null 2>&1 || (echo "install: pip install pip-audit" && exit 1)
-	pip-audit
+	@rm -rf .venv-audit
+	$(PYTHON) -m venv .venv-audit
+	.venv-audit/bin/pip install -q -U pip pip-audit setuptools wheel
+	.venv-audit/bin/pip install -q -e .
+	.venv-audit/bin/pip-audit --skip-editable
+	@rm -rf .venv-audit
 
 tidy: ## No-op for Python (lockfile management is via pyproject.toml).
 	@echo "tidy: nothing to do for Python repos."
