From 335e632bbc60852fb86ef82934d40d21531abeae Mon Sep 17 00:00:00 2001 From: hippocritical Date: Mon, 22 Dec 2025 12:45:31 +0100 Subject: [PATCH 01/12] adjusted the error message of "more than 5 queries needed for exchange" to be more verbose to the user. Now they don't have to guess what the limit actually is to then work towards, helping to better understand the error message. --- freqtrade/exchange/exchange.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/freqtrade/exchange/exchange.py b/freqtrade/exchange/exchange.py index 9d6807fa2..142d94440 100644 --- a/freqtrade/exchange/exchange.py +++ b/freqtrade/exchange/exchange.py @@ -880,7 +880,8 @@ class Exchange: raise ConfigurationError( f"This strategy requires {startup_candles} candles to start, " "which is more than 5x " - f"the amount of candles {self.name} provides for {timeframe}." + f"the amount of candles {self.name} provides for {timeframe}" + f"at a startup_candle_count limit of {candle_limit * 5 - 1}." ) elif required_candle_call_count > 1: raise ConfigurationError( From 0019867da80e7422e9eddb0586b9dd39788a4db9 Mon Sep 17 00:00:00 2001 From: hippocritical Date: Mon, 22 Dec 2025 12:53:01 +0100 Subject: [PATCH 02/12] didn't make a space in the end ... you can book that under typo ... added a . at the end of another warning since all other messages do have the same structure. --- freqtrade/exchange/exchange.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freqtrade/exchange/exchange.py b/freqtrade/exchange/exchange.py index 142d94440..266555806 100644 --- a/freqtrade/exchange/exchange.py +++ b/freqtrade/exchange/exchange.py @@ -880,7 +880,7 @@ class Exchange: raise ConfigurationError( f"This strategy requires {startup_candles} candles to start, " "which is more than 5x " - f"the amount of candles {self.name} provides for {timeframe}" + f"the amount of candles {self.name} provides for {timeframe} " f"at a startup_candle_count limit of {candle_limit * 5 - 1}." ) elif required_candle_call_count > 1: @@ -892,7 +892,7 @@ class Exchange: logger.warning( f"Using {required_candle_call_count} calls to get OHLCV. " f"This can result in slower operations for the bot. Please check " - f"if you really need {startup_candles} candles for your strategy" + f"if you really need {startup_candles} candles for your strategy." ) return required_candle_call_count From f546146d40e8de39342e647b329aad636b514375 Mon Sep 17 00:00:00 2001 From: hippocritical Date: Tue, 23 Dec 2025 00:44:45 +0100 Subject: [PATCH 03/12] changed the wording in if required_candle_call_count > 5: as per matthias suggestion. adjusted the elif part too, since this would have to be worded similarly. If a native speaker thinks there is a better wording, be our guest. --- freqtrade/exchange/exchange.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/freqtrade/exchange/exchange.py b/freqtrade/exchange/exchange.py index 266555806..3085e9ac9 100644 --- a/freqtrade/exchange/exchange.py +++ b/freqtrade/exchange/exchange.py @@ -879,13 +879,13 @@ class Exchange: # Only allow 5 calls per pair to somewhat limit the impact raise ConfigurationError( f"This strategy requires {startup_candles} candles to start, " - "which is more than 5x " - f"the amount of candles {self.name} provides for {timeframe} " - f"at a startup_candle_count limit of {candle_limit * 5 - 1}." + f"which is more than 5x ({candle_limit * 5 - 1} candles) " + f"the amount of candles {self.name} provides for {timeframe}." ) elif required_candle_call_count > 1: raise ConfigurationError( - f"This strategy requires {startup_candles} candles to start, which is more than " + f"This strategy requires {startup_candles} candles to start, " + f"which is more than ({candle_limit - 1} candles) " f"the amount of candles {self.name} provides for {timeframe}." ) if required_candle_call_count > 1: From ca47882fa91a35bfabf92c54beddf522e6f95907 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Dec 2025 05:42:22 +0000 Subject: [PATCH 04/12] chore(deps): bump scikit-learn from 1.7.2 to 1.8.0 Bumps [scikit-learn](https://github.com/scikit-learn/scikit-learn) from 1.7.2 to 1.8.0. - [Release notes](https://github.com/scikit-learn/scikit-learn/releases) - [Commits](https://github.com/scikit-learn/scikit-learn/compare/1.7.2...1.8.0) --- updated-dependencies: - dependency-name: scikit-learn dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- requirements-freqai.txt | 2 +- requirements-hyperopt.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-freqai.txt b/requirements-freqai.txt index b274f3914..0a3c1d3a7 100644 --- a/requirements-freqai.txt +++ b/requirements-freqai.txt @@ -3,7 +3,7 @@ -r requirements-plot.txt # Required for freqai -scikit-learn==1.7.2 +scikit-learn==1.8.0 joblib==1.5.2 lightgbm==4.6.0 xgboost==3.1.2 diff --git a/requirements-hyperopt.txt b/requirements-hyperopt.txt index b655f2ac9..4de1a4e34 100644 --- a/requirements-hyperopt.txt +++ b/requirements-hyperopt.txt @@ -3,7 +3,7 @@ # Required for hyperopt scipy==1.16.3 -scikit-learn==1.7.2 +scikit-learn==1.8.0 filelock==3.20.1 optuna==4.6.0 cmaes==0.12.0 From 931cd2e7badda6005ede089dff05234007a74fd7 Mon Sep 17 00:00:00 2001 From: Matthias Date: Tue, 23 Dec 2025 07:01:50 +0100 Subject: [PATCH 05/12] chore: bump Dockerfile to latest python release --- Dockerfile | 2 +- docker/Dockerfile.armhf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6ad49624c..5a1d54493 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.13.8-slim-bookworm AS base +FROM python:3.13.11-slim-bookworm AS base # Setup env ENV LANG=C.UTF-8 diff --git a/docker/Dockerfile.armhf b/docker/Dockerfile.armhf index dd0c9d670..d654400eb 100644 --- a/docker/Dockerfile.armhf +++ b/docker/Dockerfile.armhf @@ -1,4 +1,4 @@ -FROM python:3.11.13-slim-bookworm AS base +FROM python:3.11.14-slim-bookworm AS base # Setup env ENV LANG=C.UTF-8 From 7b33242aa0d88ddcf068f9d09db0bb3d45d1fc9c Mon Sep 17 00:00:00 2001 From: hippocritical Date: Tue, 23 Dec 2025 10:57:47 +0100 Subject: [PATCH 06/12] fixed tests according to failed tests on github --- tests/exchange/test_exchange.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/exchange/test_exchange.py b/tests/exchange/test_exchange.py index 5772a1c4a..94428cbbf 100644 --- a/tests/exchange/test_exchange.py +++ b/tests/exchange/test_exchange.py @@ -1012,7 +1012,7 @@ def test_validate_required_startup_candles(default_conf, mocker, caplog): ex._ft_has["ohlcv_has_history"] = False with pytest.raises( OperationalException, - match=r"This strategy requires 2500.*, " r"which is more than the amount.*", + match=r"This strategy requires 2500.*, " r"which is more than .* the amount", ): ex.validate_required_startup_candles(2500, "5m") From 4b3ff02d4906ec3424e08843c91ba01a49035e58 Mon Sep 17 00:00:00 2001 From: Matthias Date: Wed, 24 Dec 2025 11:06:49 +0100 Subject: [PATCH 07/12] chore: Add pip-audit action --- .github/workflows/ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bf4384a1c..510efe64f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,6 +60,8 @@ jobs: uv pip install -e ft_client/ uv pip install -e . + - uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0 + - name: Check for version alignment run: | python build_helpers/freqtrade_client_version_align.py @@ -87,12 +89,12 @@ jobs: rm -rf codecov codecov.SHA256SUM codecov.SHA256SUM.sig - name: Run json schema extract - # This should be kept before the repository check to ensure that the schema is up-to-date + # This must be kept before the repository check to ensure that the schema is up-to-date run: | python build_helpers/extract_config_json_schema.py - name: Run command docs partials extract - # This should be kept before the repository check to ensure that the docs are up-to-date + # This must be kept before the repository check to ensure that the docs are up-to-date if: ${{ (matrix.python-version == '3.13') }} run: | python build_helpers/create_command_partials.py From f55a90d98cbcb6d9b9a4304339848118bac950d9 Mon Sep 17 00:00:00 2001 From: Matthias Date: Wed, 24 Dec 2025 11:35:25 +0100 Subject: [PATCH 08/12] chore: add pip-audit as dependency and test --- .github/workflows/ci.yml | 1 - requirements-dev.txt | 1 + tests/test_pip_audit.py | 85 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 tests/test_pip_audit.py diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 510efe64f..f596da117 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,7 +60,6 @@ jobs: uv pip install -e ft_client/ uv pip install -e . - - uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0 - name: Check for version alignment run: | diff --git a/requirements-dev.txt b/requirements-dev.txt index 38a49f661..a59805e46 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -30,3 +30,4 @@ types-filelock==3.2.7 types-requests==2.32.4.20250913 types-tabulate==0.9.0.20241207 types-python-dateutil==2.9.0.20251115 +pip-audit==2.10.0 diff --git a/tests/test_pip_audit.py b/tests/test_pip_audit.py new file mode 100644 index 000000000..fca696193 --- /dev/null +++ b/tests/test_pip_audit.py @@ -0,0 +1,85 @@ +import subprocess +import sys +from pathlib import Path + +import pytest + + +def test_pip_audit_no_vulnerabilities(): + """ + Run pip-audit to check for known security vulnerabilities. + + This test will fail if any vulnerabilities are detected in the installed packages. + + Note: CVE-2025-53000 (nbconvert Windows vulnerability) is ignored as it only affects + Windows platforms and is a known acceptable risk for this project. + """ + # Get the project root directory + project_root = Path(__file__).parent.parent + command = [ + sys.executable, + "-m", + "pip_audit", + # "--format=json", + "--progress-spinner=off", + "--ignore-vuln", + "CVE-2025-53000", + "--skip-editable", + ] + + # Run pip-audit with JSON output for easier parsing + try: + result = subprocess.run( + command, + cwd=project_root, + capture_output=True, + text=True, + timeout=120, # 2 minute timeout + ) + except subprocess.TimeoutExpired: + pytest.fail("pip-audit command timed out after 120 seconds") + except FileNotFoundError: + pytest.fail("pip-audit not installed or not accessible") + + # Check if pip-audit found any vulnerabilities + if result.returncode != 0: + # pip-audit returns non-zero when vulnerabilities are found + error_output = result.stdout + "\n" + result.stderr + + # Check if it's an actual vulnerability vs an error + if "vulnerabilities found" in error_output.lower() or '"dependencies"' in result.stdout: + pytest.fail( + f"pip-audit detected security vulnerabilities!\n\n" + f"Output:\n{result.stdout}\n\n" + f"Please review and update vulnerable packages.\n" + f"Run manually with: {' '.join(command)}" + ) + else: + # Some other error occurred + pytest.fail( + f"pip-audit failed to run properly:\n\nReturn code: {result.returncode}\nOutput: {error_output}\n" + ) + + # Success - no vulnerabilities found + assert result.returncode == 0, "pip-audit should return 0 when no vulnerabilities are found" + + +def test_pip_audit_runs_successfully(): + """ + Verify that pip-audit can run successfully (even if vulnerabilities are found). + + This is a smoke test to ensure pip-audit is properly installed and functional. + """ + try: + result = subprocess.run( + [sys.executable, "-m", "pip_audit", "--version"], + capture_output=True, + text=True, + timeout=10, + ) + assert result.returncode == 0, f"pip-audit --version failed: {result.stderr}" + assert "pip-audit" in result.stdout.lower(), "pip-audit version output unexpected" + except FileNotFoundError: + pytest.fail("pip-audit not installed") + except subprocess.TimeoutExpired: + pytest.fail("pip-audit --version timed out") From 78709a9d76e5787bc0078b0b2ad3d81d19c32f7e Mon Sep 17 00:00:00 2001 From: Matthias Date: Wed, 24 Dec 2025 11:39:00 +0100 Subject: [PATCH 09/12] test: properly wrap line --- tests/test_pip_audit.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/test_pip_audit.py b/tests/test_pip_audit.py index fca696193..29eaca607 100644 --- a/tests/test_pip_audit.py +++ b/tests/test_pip_audit.py @@ -57,7 +57,8 @@ def test_pip_audit_no_vulnerabilities(): else: # Some other error occurred pytest.fail( - f"pip-audit failed to run properly:\n\nReturn code: {result.returncode}\nOutput: {error_output}\n" + f"pip-audit failed to run properly:\n\nReturn code: {result.returncode}\n" + f"Output: {error_output}\n" ) # Success - no vulnerabilities found From 11eb0c080211a7080353eabe6c0e1964689cd066 Mon Sep 17 00:00:00 2001 From: Matthias Date: Wed, 24 Dec 2025 11:58:44 +0100 Subject: [PATCH 10/12] fix: re-add latest tag for docker hub - which aligns to the :devleop tag --- .github/workflows/docker-build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index cd8994453..96d0524eb 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -290,6 +290,7 @@ jobs: docker buildx imagetools create \ --tag ${GHCR_IMAGE_NAME}:${TAG} \ --tag ${GHCR_IMAGE_NAME}:latest \ + --tag ${IMAGE_NAME}:latest \ ${IMAGE_NAME}:${TAG} - name: Docker images From 2013a2eddaeffd495ae2bc2ed30fde2a0143c1ec Mon Sep 17 00:00:00 2001 From: Matthias Date: Wed, 24 Dec 2025 12:04:30 +0100 Subject: [PATCH 11/12] chore: add recognition to the original tests author --- .github/workflows/ci.yml | 1 - tests/test_pip_audit.py | 6 ++++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f596da117..84b9f9afb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,7 +60,6 @@ jobs: uv pip install -e ft_client/ uv pip install -e . - - name: Check for version alignment run: | python build_helpers/freqtrade_client_version_align.py diff --git a/tests/test_pip_audit.py b/tests/test_pip_audit.py index 29eaca607..ab9017b89 100644 --- a/tests/test_pip_audit.py +++ b/tests/test_pip_audit.py @@ -1,3 +1,9 @@ +""" +Run pip audit to check for known security vulnerabilities in installed packages. +Original Idea and base for this implementation by Michael Kennedy's blog: +https://mkennedy.codes/posts/python-supply-chain-security-made-easy/ +""" + import subprocess import sys from pathlib import Path From 896250fe88390715cc454d803bd879c6b2703e2c Mon Sep 17 00:00:00 2001 From: Matthias Date: Wed, 24 Dec 2025 13:29:01 +0100 Subject: [PATCH 12/12] chore: add debugging output to debug psgallery error --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 84b9f9afb..8a39911a1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -159,6 +159,7 @@ jobs: shell: powershell run: | $PSVersionTable + Get-PSRepository | Format-List * Set-PSRepository psgallery -InstallationPolicy trusted Install-Module -Name Pester -RequiredVersion 5.3.1 -Confirm:$false -Force -SkipPublisherCheck $Error.clear()