fix: remove unused black and requests from dev dependencies

- We use Ruff for formatting, not Black
- requests is not used directly
- Security check now audits only production dependencies
- Fail CI only on production vulnerabilities (not dev)

.gitea/workflows/pr-check.yml

@@ -91,21 +91,23 @@ jobs:
         env:
           UV_NO_PROGRESS: "1"
         run: |
-          echo "Running pip-audit..."
+          echo "Running pip-audit on production dependencies..."
-          uv run pip-audit --format json --output audit-results.json || true
+          # Audit only production dependencies (exclude dev)
+          uv pip compile pyproject.toml --no-dev -o requirements-prod.txt
+          uv run pip-audit --format json --output audit-results.json -r requirements-prod.txt || true
           
           # Parse and display results
           if [ -s audit-results.json ] && [ "$(cat audit-results.json)" != "[]" ]; then
-            echo "⚠️  Found vulnerabilities (dev dependencies only):"
+            echo "❌ Found vulnerabilities in production dependencies:"
             uv run python -c "
 import json
 data = json.load(open('audit-results.json'))
 for vuln in data:
     print(f\"  - {vuln.get('name', 'unknown')} {vuln.get('version', '')}: {vuln.get('id', '')}\")
-print('Note: These are dev dependencies, not shipped with the package.')
 "
+            exit 1
           else
-            echo "✅ No vulnerabilities found"
+            echo "✅ No vulnerabilities in production dependencies"
           fi
       
       - name: Check for secrets

pyproject.toml

@@ -37,9 +37,6 @@ dev = [
     "ruff>=0.3.0",
     "python-semantic-release>=9.0.0",
     "pip-audit>=2.7.0",
-    # Pinned to avoid vulnerabilities
-    "black>=24.3.0",
-    "requests>=2.33.0",
 ]
 
 [project.urls]