-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a config/command line option to treat some downstream errors as warning instead of complete error exit #478
Comments
Thanks for the report! To clarify, the problem is requirements specifiers like this, right?
Could you also post the Given that we've jumped a bit ahead of (Alternatively, we could be a forward-pushing force, and carve out a specific error here telling users that they're going to need to fix their dependencies soon anyways.) cc @di for thoughts. |
Yep, exactly this was one of the issues. But I remember that for example an older version of
At least for sometime, I guess most active projects will be forced to follow that.
I agree, that it should be clearly pointed out, ideally with more details what to do. So a red warning sign to make sure it's getting fixed :) And by default error out might be fine as well, but sometimes you want to run audits while you're waiting for a fix upstream and are fine if one dependency is currently not fully covered but at least all the others still are. |
Thanks! And yeah, 100% agreed -- IMO |
Do you have any suggestion what one should do in the meantime to workaround this? My only idea is to use an older I reported the issue upstream and they fixed it in master, but the release to |
Short term, downgrading would be the best workaround. We're unlikely to provide support for auditing projects that aren't standards-compliant, but we should definitely be providing a better exception here, or even better, skipping & warning on these invalid projects. (Generally I don't think any |
Yeah, we can definitely do much better with the error message here. I'll look into that now. |
Just enumerating; there are two separate improvements we can make here:
|
@norg do you have a reproducible case you can share? I can cause the top-level error with:
...but not the nested error you're seeing with |
Sure, you can trigger this when you use an older version and specify it:
This does trigger the Traceback for me on Thanks for looking into this! |
Indeed, thanks! |
Just to show the WIP (I'm going to clean it up a bit more):
|
#507 improves the error messages here, but we've left this open since it's not a "full" fix. Longer term, we should consider re-adding support for legacy (non-PEP 440) versions, explicitly skipping those versions, or making the current implicit policy of always using the latest |
Please be substantive. This is a year old issue, we don't know what you think broke. |
Upgraded to the latest pip and now I am basically unable to do anything as I am getting exception on any attempt to install or upgrade one of my packages that is dependent on Django and Celery... So what do I do? |
Could you paste the full error you're seeing, and share the following:
It's possible this is an upstream change in |
I am not sure who is responsible for this as I am not deeply familiar to the inner workings of pip, pip-audit, setuptools, etc.., however... whoever introduced this is stupid beyond imagination! Now... what else do you want to be provided..? It's as simple as it can be! It goes like this... somebody tries to install some pip package and he is faced with some pip errors, ok, so he starts googling... the very first advise that he gets on the internet is to upgrade pip and setuptools to the latest version. Once he does that... he is screwed, as he starts getting this error all over the place! For example my project has dependency on an older celery packge, I think it was celery==4.4.7. But that's my own package that I maintain myself. Well ok, so I try and upgrade that requirement to celery==5.3.6. Well.. ok it kind of helps, however it also depends on librosa==0.10.1, which subsequently depends on more packages, that are older... which eventually brakes with same message... So basically this is a disaster, as usually you are not in control of those dependencies, you just simply want to install some packages, which are sometimes a few years old and not necessarily meets latest PEP requirements, however they work perfectly well! And people sometimes have been using them for years without any trouble! Well but after you upgrade your pip... you start having serious troubles! So what's the point of upgrading it? This is not how it should be executed!!! If there's PEP requirement enforcement planned ahead it must be performed on builders side, so that whenever you want to build your package in to a wheel and publish it on to PyPy things would brake and you would not be allowed to do so until you fix your own build, but not wise versa! This is not full story however... We have a big project, with hundreds of installations that has auto updating system using pip to install dependencies... So when this happens... you are in a seriously deep shit! To remediate this I had to enforce duck tape solution: pip install setuptools==65.7.0 before we start dealing with pip. Sorry, for my emotions, but I am really pissed off by this. This is not how things should be done in Python world. I am proud Python developer for last 20 years, but this really got me seriously upset. |
We don't know what "this" is. You were asked to provide additional context in #478 (comment), and haven't done so. We cannot help you resolve your problem until we know what the actual problem is. To set a clear expectation here: this is
|
Need more context to move your a**? @woodruffw you are as ignorant as f***! So it is not approporiate, nor it is humane, nor colaborative, nor helping nor healthy, nor sustainable, nor friendly, nor productive.., etc... That's more than enough context for you to start making any progress, if it's even possible for you to comprehend. |
Okay, thanks for making this decision easy. |
Is your feature request related to a problem? Please describe.
From time to time we run into issues where
pip-audit
stops working with a traceback or error that is not related topip-audit
itself but for reasons in the projects that are audited.So for example
celery
is not following PEP440 currently for therequirements.txt
, this results in a traceback when runningpip-audit
sincepackaging
is now more strict on that. So untilcelery
is changing the file apip-audit
run that has a dependency that at one point ends up with an issue, the whole audit breaks.I would argue that his can happen more often and a user would still like to have a report for the packages that are resolved.
Describe the solution you'd like
Ideally the user can configure this and
pip-audit
will proceed with the rest of the audit and report a warning that some parts couldn't be audited due to errors.The advantage of the config option is, that the default could still be a clear error and exit by
pip-audit
but users who would like to have a partial report have an alternative, especially if the proper fix in the other package might take time or isn't even considered.Describe alternatives you've considered
Reporting the issues to the project is the proper way but until some things are fixed
pip-audit
runs would always fail.Additional context
Example in Celery celery/celery#8001 (comment) which is detected by
packaging
pypa/packaging#658The text was updated successfully, but these errors were encountered: