Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: doesn't work without pip installed #842

Open
3 tasks done
DetachHead opened this issue Oct 16, 2024 · 3 comments
Open
3 tasks done

Bug: doesn't work without pip installed #842

DetachHead opened this issue Oct 16, 2024 · 3 comments
Labels
bug Something isn't working component:cli CLI components component:dep-sources Dependency sources

Comments

@DetachHead
Copy link

Pre-submission checks

  • I am not filing an auditing error (false positive or negative). These must be reported to pypa/advisory-database instead.
  • I agree to follow the PSF Code of Conduct.
  • I have looked through the open issues for a duplicate report.

Expected behavior

i use uv instead of pip to manage my dependencies. from my understanding based on the documentation of the following command line arguments, using pip-audit without pip is supported:

  --disable-pip         don't use `pip` for dependency resolution; this can
                        only be used with hashed requirements files or if the
                        `--no-deps` flag has been provided (default: False)

however when i attempt to use this argument, pip-audit still seems to try to use pip

Actual behavior

C:\Users\user\project\.venv\Scripts\python.exe: No module named pip
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Scripts\pip-audit.EXE\__main__.py", line 5, in <module>
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_cli.py", line 17, in <module>
    from pip_audit._audit import AuditOptions, Auditor
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_audit.py", line 11, in <module>
    from pip_audit._dependency_source import DependencySource
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_dependency_source\__init__.py", line 5, in <module>
    from .interface import (
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_dependency_source\interface.py", line 11, in <module>
    from pip_audit._fix import ResolvedFixVersion
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_fix.py", line 13, in <module>
    from pip_audit._service import (
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_service\__init__.py", line 14, in <module>
    from .osv import OsvService
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_service\osv.py", line 15, in <module>
    from pip_audit._cache import caching_session
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_cache.py", line 15, in <module>
    import pip_api
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_api\__init__.py", line 9, in <module>
    PIP_VERSION: Version = packaging_version.parse(version())  # type: ignore
                                                   ^^^^^^^^^
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_api\_version.py", line 5, in version
    result = call("--version")
             ^^^^^^^^^^^^^^^^^
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_api\_call.py", line 9, in call
    result = subprocess.check_output(
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\user\AppData\Local\Programs\Python\Python312\Lib\subprocess.py", line 466, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\user\AppData\Local\Programs\Python\Python312\Lib\subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['.venv/Scripts/python.exe', '-m', 'pip', '--version']' returned non-zero exit status 1.

Reproduction steps

$env:PIPAPI_PYTHON_LOCATION=".venv/Scripts/python.exe"
uv pip compile pyproject.toml -o requirements.txt
pip-audit --dry-run --no-deps --disable-pip -r requirements.txt

Logs

No response

Additional context

No response

OS name, version, and architecture

windows 11

pip-audit version

2.7.3

pip version

n/a

Python version

3.12
@DetachHead DetachHead added the bug-candidate Might be a bug. label Oct 16, 2024
@woodruffw
Copy link
Member

Thanks for the detailed report! I greatly appreciate it.

What's happening here is a little subtle: it's not that pip-audit is calling pip to do anything in this case, but that import pip_api attempts to call python -m pip --version at import time.

You can see that here:

https://github.com/di/pip-api/blob/d83552d21e4309900e8f99bea68777bc0dc61b8a/pip_api/__init__.py#L9

https://github.com/di/pip-api/blob/d83552d21e4309900e8f99bea68777bc0dc61b8a/pip_api/_version.py#L4-L10

In the case of uv, I suppose that means that the CPython standalone distributions that uv uses doesn't come with pip (which makes sense, but I hadn't thought about it before).

I need to think a bit about how best to handle this: we could in theory specialize a bit for uv (I really like uv, but this might not be the right approach given that we try to only do PyPA things within pip-audit), or propagate pip_api's fallibility throughout pip_audit (this will be tedious, but is probably the right path anyways in terms of assuming as little as possible).

TL;DR: you've hit a bug, and I need to think a bit about how to fix it 🙂

@woodruffw woodruffw added bug Something isn't working component:cli CLI components component:dep-sources Dependency sources and removed bug-candidate Might be a bug. labels Oct 17, 2024
@DetachHead
Copy link
Author

thanks for the reply

I really like uv, but this might not be the right approach given that we try to only do PyPA things within pip-audit

imo this mindset sounds detrimental to the project. tbh i see uv completely replacing pip, i think its a good idea to support it. i hope it becomes the standard/official tool at some point in the future, so i think it makes sense to support it officially

@woodruffw
Copy link
Member

imo this mindset sounds detrimental to the project. tbh i see uv completely replacing pip, i think its a good idea to support it. i hope it becomes the standard/official tool at some point in the future, so i think it makes sense to support it officially

The project doesn't have an ego. If uv were to create uv audit tomorrow and replace the pip-audit use-case for uv users, that would be perfectly fine. That's what other non-PyPA packaging tools have done, to my understadning.

With that being said, I agree that we should support it officially, but we're going to do that in a way that doesn't require vendor-specific adaptations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working component:cli CLI components component:dep-sources Dependency sources
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@woodruffw @DetachHead