-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failure to find dependency that was installed from extra index url #599
Comments
Thanks for the report @cornelius-braun, and for filling our each section! We greatly appreciate it.
This is a somewhat tricky case:
To summarize: this boils down to a question of whether Argument for: Even when different, vulnerabilities reported in Argument against: When a package reports its version as CC @tetsuo-cpp and @di for thoughts. I'm personally inclined to say that we should support "normalizing" local versions into their "base" version, although perhaps behind an option or flag that isn't enabled by default. |
Agreed. PyPI can't distribute vulnerability data for releases that aren't on PyPI (no matter how similar the version numbers look). @cornelius-braun, I'm curious, when you saw the "Dependency not found on PyPI and could not be audited", was this clear enough? Is there more we could do here to say "you installed something we've never seen before, we have no way to tell you if there are known vulnerabilities for it?" (As an aside, if we standardized the vulnerability API, the pytorch index could offer vulnerability details here, but that is a much bigger effort) |
Thank you both for your elaborate replies!
To me, it was clear that you could not find information about the torch installation because it was not found on PyPi. Since an Based on your explanations, your procedure now makes complete sense to me. |
I think we do want to support this eventually, but we could make it more clear that it's not currently supported. |
Agreed! I think we can improve the user experience here with the following: If the user passes |
Assigned to both myself and @tnytown, we'll triage it based on availability during the sprints. |
Hi. I also have the same problem. pip-audit fails to find cpu versions of torch and torchvision on PyPI. Is there any progress here? Thanks. |
That sounds like a different issue, since this issue is about third party index URL handling. Could you please file a separate issue and include an example for us to reproduce your problem with? |
Bug description
I created a requirements file for my project using
pip-compile
. To get the correct version, I added an extra url for thetorch
installation, resulting in the following command:This gives me the following
requirements.txt
When I run
pip-audit
on this, I get the issue thattorch
is skipped from the auditing:Is this a bug or am I misusing
pip-audit
?Reproduction steps
I generated my requirements using
Then I ran
Expected behavior
Auditing of all packages including
torch
.Screenshots and logs
The logs are as follows:
Platform information
pip-audit
version (pip-audit -V
): 2.5.4python -V
orpython3 -V
): 3.11pip
version (pip -V
orpip3 -V
): 23.1The text was updated successfully, but these errors were encountered: