Bug: doesn't work without pip installed

[DetachHead]

Pre-submission checks

• I am not filing an auditing error (false positive or negative). These must be reported to pypa/advisory-database instead.
• I agree to follow the PSF Code of Conduct.
• I have looked through the open issues for a duplicate report.

Expected behavior

i use uv instead of pip to manage my dependencies. from my understanding based on the documentation of the following command line arguments, using pip-audit without pip is supported:

  --disable-pip         don't use `pip` for dependency resolution; this can
                        only be used with hashed requirements files or if the
                        `--no-deps` flag has been provided (default: False)

however when i attempt to use this argument, pip-audit still seems to try to use pip

Actual behavior

C:\Users\user\project\.venv\Scripts\python.exe: No module named pip
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Scripts\pip-audit.EXE\__main__.py", line 5, in <module>
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_cli.py", line 17, in <module>
    from pip_audit._audit import AuditOptions, Auditor
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_audit.py", line 11, in <module>
    from pip_audit._dependency_source import DependencySource
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_dependency_source\__init__.py", line 5, in <module>
    from .interface import (
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_dependency_source\interface.py", line 11, in <module>
    from pip_audit._fix import ResolvedFixVersion
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_fix.py", line 13, in <module>
    from pip_audit._service import (
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_service\__init__.py", line 14, in <module>
    from .osv import OsvService
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_service\osv.py", line 15, in <module>
    from pip_audit._cache import caching_session
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_audit\_cache.py", line 15, in <module>
    import pip_api
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_api\__init__.py", line 9, in <module>
    PIP_VERSION: Version = packaging_version.parse(version())  # type: ignore
                                                   ^^^^^^^^^
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_api\_version.py", line 5, in version
    result = call("--version")
             ^^^^^^^^^^^^^^^^^
  File "C:\Users\user\project\.pyprojectx\venvs\main-4c7fc0cf49a23c94e06c5d5993e49381-py3.12\Lib\site-packages\pip_api\_call.py", line 9, in call
    result = subprocess.check_output(
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\user\AppData\Local\Programs\Python\Python312\Lib\subprocess.py", line 466, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\user\AppData\Local\Programs\Python\Python312\Lib\subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['.venv/Scripts/python.exe', '-m', 'pip', '--version']' returned non-zero exit status 1.

Reproduction steps

$env:PIPAPI_PYTHON_LOCATION=".venv/Scripts/python.exe"
uv pip compile pyproject.toml -o requirements.txt
pip-audit --dry-run --no-deps --disable-pip -r requirements.txt

Logs

No response

Additional context

No response

OS name, version, and architecture

windows 11

pip-audit version

2.7.3

pip version

n/a

Python version

3.12

[woodruffw]

Thanks for the detailed report! I greatly appreciate it.

What's happening here is a little subtle: it's not that pip-audit is calling pip to do anything in this case, but that import pip_api attempts to call python -m pip --version at import time.

You can see that here:

https://github.com/di/pip-api/blob/d83552d21e4309900e8f99bea68777bc0dc61b8a/pip_api/__init__.py#L9

https://github.com/di/pip-api/blob/d83552d21e4309900e8f99bea68777bc0dc61b8a/pip_api/_version.py#L4-L10

In the case of uv, I suppose that means that the CPython standalone distributions that uv uses doesn't come with pip (which makes sense, but I hadn't thought about it before).

I need to think a bit about how best to handle this: we could in theory specialize a bit for uv (I really like uv, but this might not be the right approach given that we try to only do PyPA things within pip-audit), or propagate pip_api's fallibility throughout pip_audit (this will be tedious, but is probably the right path anyways in terms of assuming as little as possible).

TL;DR: you've hit a bug, and I need to think a bit about how to fix it 🙂

[DetachHead]

thanks for the reply

I really like uv, but this might not be the right approach given that we try to only do PyPA things within pip-audit

imo this mindset sounds detrimental to the project. tbh i see uv completely replacing pip, i think its a good idea to support it. i hope it becomes the standard/official tool at some point in the future, so i think it makes sense to support it officially

[woodruffw]

imo this mindset sounds detrimental to the project. tbh i see uv completely replacing pip, i think its a good idea to support it. i hope it becomes the standard/official tool at some point in the future, so i think it makes sense to support it officially

The project doesn't have an ego. If uv were to create uv audit tomorrow and replace the pip-audit use-case for uv users, that would be perfectly fine. That's what other non-PyPA packaging tools have done, to my understadning.

With that being said, I agree that we should support it officially, but we're going to do that in a way that doesn't require vendor-specific adaptations.

[woodruffw]

#884 is a variant of this: python -m ensurepip fails with a uv-managed Python.

[MattTheCuber]

Do we have idea for workarounds in the mean time?

Also, just want to link this here: astral-sh/uv#9189

[woodruffw]

The workaround is to use uv pip compile or another mechanism that'll turn your uv dependencies into something that pip-audit can consume.

There are some tips for doing that in the thread you linked 🙂