eccenca · seebi · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026
diff --git a/.copier-answers.yml b/.copier-answers.yml
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v7.3.0-23-g37cff5f
+_commit: v8.3.1
 _src_path: gh:eccenca/cmem-plugin-template
 author_mail: cmempy-developer@eccenca.com
 author_name: eccenca GmbH

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -22,6 +22,13 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
 
+      - name: Cache Trivy DB
+        id: cache-trivydb
+        uses: actions/cache@v4
+        with:
+          path: .trivycache
+          key: ${{ runner.os }}-trivydb
+
       - name: Install Task
         uses: arduino/setup-task@v2
 
@@ -62,9 +69,13 @@ jobs:
         run: |
           task check:deptry
 
-      - name: safety
+      - name: trivy
+        env:
+          TRIVY_NO_PROGRESS: "true"
+          TRIVY_CACHE_DIR: ".trivycache/"
+          TRIVY_DISABLE_VEX_NOTICE: "true"
         run: |
-          task check:safety
+          task check:trivy
 
       - name: Publish Test Report in Action
         uses: mikepenz/action-junit-report@v4

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -60,17 +60,24 @@ deptry:
   script:
     - task check:deptry
 
-safety:
+trivy:
   stage: test
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
+    TRIVY_DISABLE_VEX_NOTICE: "true"
   script:
-    - task check:safety
+    - task check:trivy
+  cache:
+    paths:
+      - .trivycache/
 
 build:
   stage: build
   needs:
     - mypy
     - pytest
-    - safety
+    - trivy
     - deptry
   script:
     - task build

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,4 +1,7 @@
 ---
+default_language_version:
+  python: python3.13
+
 repos:
   - repo: local
     hooks:
@@ -36,3 +39,9 @@ repos:
         stages: [post-checkout, post-merge]
         always_run: true
 
+      - id: trivy
+        name: check:trivy
+        description: run trivy to scan for vulnerabilities
+        entry: task check:trivy
+        language: python
+        pass_filenames: false
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,4 @@
+# .trivyignore
+
+# ignore 51358 safety - dev dependency only
+CVE-2022-39280
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](https://semver.org/)
 
+## [Unreleased]
+
+### Changed
+
+- Updated template 
+
 ## [4.15.0] 2025-10-15
 
 ### Changed

diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -51,7 +51,7 @@ tasks:
       Check poetry versioning plugin. Currently not under Windows
     run: once
     preconditions:
-      - sh: '[ -d .git ]'
+      - sh: git -C . rev-parse
         msg: >
           Your newly created project directory needs to be initialized
           as a git repository.
@@ -112,7 +112,7 @@ tasks:
       - task: check:ruff
       - task: check:mypy
       - task: check:deptry
-      - task: check:safety
+      - task: check:trivy
 
   check:pytest:
     desc: Run unit and integration tests
@@ -154,12 +154,16 @@ tasks:
     vars:
       JUNIT_FILE: ./{{.DIST_DIR}}/junit-mypy.xml
 
-  check:safety:
-    desc: Complain about vulnerabilities in dependencies
+  check:trivy:
+    desc: Scan for vulnerabilities using Trivy
     <<: *preparation
     cmds:
-      # ignore 51358 safety - dev dependency only
-      - poetry run safety check -i 51358
+      - >
+        poetry run trivy fs
+        --include-dev-deps
+        --scanners vuln
+        --exit-code 1
+        .
 
   check:deptry:
     desc: Complain about unused or missing dependencies

diff --git a/cmem_plugin_base/dataintegration/typed_entities/file.py b/cmem_plugin_base/dataintegration/typed_entities/file.py
@@ -89,7 +89,7 @@ def close(self) -> None:
         """Close the underlying text stream."""
         self._text_stream.close()
 
-    def __enter__(self) -> "_TextToBytesWrapper":
+    def __enter__(self) -> "_TextToBytesWrapper":  # noqa: PYI034
         return self
 
     def __exit__(self, *args: object) -> None:

diff --git a/cmem_plugin_base/dataintegration/typed_entities/typed_entities.py b/cmem_plugin_base/dataintegration/typed_entities/typed_entities.py
@@ -15,7 +15,7 @@ class TypedEntitySchema(EntitySchema, Generic[T]):
     # Class variable to store singleton instances for each subclass
     _instances: ClassVar[dict[type["TypedEntitySchema"], "TypedEntitySchema"]] = {}
 
-    def __new__(cls, *args, **kwargs) -> "TypedEntitySchema":  # noqa: ANN002, ANN003, ARG004
+    def __new__(cls, *args, **kwargs) -> "TypedEntitySchema":  # noqa: ANN002, ANN003, ARG004 PYI034
         """Implement singleton pattern for all subclasses of TypedEntitySchema."""
         if cls not in cls._instances:
             cls._instances[cls] = super().__new__(cls)

diff --git a/cmem_plugin_base/dataintegration/utils/__init__.py b/cmem_plugin_base/dataintegration/utils/__init__.py
@@ -64,7 +64,7 @@ def split_task_id(task_id: str) -> tuple:
 
     """
     try:
-        project_part = task_id.split(":")[0]
+        project_part = task_id.split(":", maxsplit=1)[0]
         task_part = task_id.split(":")[1]
     except IndexError as error:
         raise ValueError(f"{task_id} is not a valid task ID.") from error