Evaluate extras and groups when determining auditable packages

[woodruffw]

Summary

I've made uv audit's approach to handling extras and groups (explicitly) subtractive: we don't support flags like --dev (since uv audit audits everything by default); instead, we only support flags like --no-dev, --no-group, etc., that remove items from the to-be-audited set.

To accomplish that, I've abstracted the filtering into a new Lock::packages_for_audit API (maybe there's a better location for it?). Implementation wise, it does a BFS similar to the one used in uv tree. I think there's some room/opportunity for DRYing there but I wanted to keep the PR small/local 🙂

See #18506.

Test Plan

None yet.

[konstin]

Can you say a but more of what (sub)set of packages users want to audit? E.g., do we want to evaluate all packages by default, or only the set of default extras and the dev group, or only the set production dependencies without groups, etc.?

[codspeed-hq]

Merging this PR will not alter performance

✅ 5 untouched benchmarks

---

_{Comparing ww/uv-audit-filter (19e8ae6) with main (7228ad6)}

[woodruffw]

Can you say a but more of what (sub)set of packages users want to audit? E.g., do we want to evaluate all packages by default, or only the set of default extras and the dev group, or only the set production dependencies without groups, etc.?

Oh yeah, I under-thought this -- I think by default uv audit should audit everything in the lockfile. Then, if they only want to audit a specific extra/group/resolution, they need to pass flags to that effect.

[woodruffw]

Actually even that doesn't make a ton of sense -- I can't think of any user scenario/persona where they'd want to only audit a specific group/extra, rather than just the entire thing. I'm kind of inclined to just drop the extra/group flags entirely, at least for the MVP...

(For context, pip-audit doesn't try to do any of this.)

[zanieb]

I do think it's reasonable to say --no-group ... and exclude dependency groups from your audit if you only care about production dependencies.

[zanieb]

I think auditing everything by default and allowing subset selection broadly makes sense to me.

[woodruffw]

SG, working on that now.

[woodruffw]

OK, good for another look! I've updated the main PR description to clarify what I've changed here.

[konstin]

Can comment there, but can you also extend the top level description of the command to talk about extras and dep groups?

[woodruffw]

dfe8033 LMK if this is what you're thinking 🙂