pip-audit: Crash on `package @ git+...` dependencies

Bug description

Using package @ git+... dependencies crashes pip-audit with a traceback, when I’d expect it to output the usual report with those packages listed by name and skip-reason if unauditable.

Reproduction steps

# Some packages exist, and all is well
shed == 0.10.5

# Others *don't* exist or can't be fetched, that's reported nicely
this_might_exist_off_pypi == 0.0.1

# But if you have this awful kind of dep, you'll get a traceback!
hypothesis @ git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#subdirectory=hypothesis-python

pip-audit --no-deps -r requirements.txt

Platform information

  • OS name and version: macOS Monterey
  • pip-audit version (pip-audit -V): pip-audit 2.4.4
  • Python version (python -V or python3 -V): Python 3.10.6
  • pip version (pip -V or pip3 -V): pip 22.3

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 16 (13 by maintainers)

Most upvoted comments

I just confirmed that pip install --no-deps -r requirements.txt does install a VCS dependency but skips its subdependencies, so https://github.com/pypa/pip-audit/issues/382#issuecomment-1297260688 is probably the closest appropriate behavior here. I’ll adjust the PR.

+2
woodruffw on Oct 31, 2022

Thanks for telling us @seankfh!

Would you mind opening a separate issue for that? The top-level issue here was a crash, not a behavioral consideration around how --no-deps interacts with URL requirements. A separate issue would help us better track and triage the behavior you’re seeing, especially since there’s been a few releases since we closed this.

(And please include any details about that hang you’re seeing!)

+1
woodruffw on Apr 26, 2023

Did some digging here, and it looks like this error only happens with --no-deps. I think that’s why @di couldn’t repro it.

In particular, it looks like it happens because --no-deps requires every dependency to be fully pinned, but the URL-style requirement you’re providing doesn’t include a version specification.

In other words, this:

hypothesis @ git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#subdirectory=hypothesis-python

should be this:

hypothesis @ git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#egg=hypothesis==6.56.3&subdirectory=hypothesis-python

…however, that still fails with the same error, which makes me think it might be a bug in our requirements parser. Will continue looking.

+1
woodruffw on Oct 29, 2022
Read more comments on GitHub
← pip-audit: 0.0.4 test failure: fixture 'vuln_service' not found
pip-audit: Does not work with prerelease-only dependencies that have no specific version →