Version 1.0.6 gives error AttributeError: 'HTTPResponse' object has no attribute 'strict'

[MichaelTiemannOSC]

Current behavior

Below is a logfile from an attempted audit of a recent pull request (https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186):

I was happily using 1.0.3 until GitHub updated to 1.0.6 and now I cannot merge my Pull Request.

Expected behavior

I expect the audit to run and either flag a security error or silently return success.

Steps to reproduce

This occurs when I attempt to merge PR 186: os-climate/ITR#186

All of the code is open source, so you might be able to fork the underlying repo (os-climate/ITR) and the source of the pull request (MichaelTiemannOSC/ITR) and have at it.

Relevant context

Run pypa/[email protected]
Run # NOTE: Sourced, not executed as a script.
Collecting pip-audit>=2.4.13,~=2.0 (from -r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading pip_audit-2.5.4-py3-none-any.whl (52 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 52.9/52.9 kB 2.2 MB/s eta 0:00:00
Collecting CacheControl[filecache]>=0.12.10 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading CacheControl-0.12.11-py2.py3-none-any.whl (21 kB)
Collecting cyclonedx-python-lib!=2.5.0,~=2.0 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading cyclonedx_python_lib-2.7.1-py3-none-any.whl (200 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 200.4/200.4 kB 13.4 MB/s eta 0:00:00
Collecting html5lib>=1.1 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading html5lib-1.1-py2.py3-none-any.whl (112 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 112.2/112.2 kB 39.3 MB/s eta 0:00:00
Collecting packaging>=23.0.0 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading packaging-23.1-py3-none-any.whl (48 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 48.9/48.9 kB [17](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:18).3 MB/s eta 0:00:00
Collecting pip-api>=0.0.28 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading pip_api-0.0.30-py3-none-any.whl (111 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 111.6/111.6 kB 37.7 MB/s eta 0:00:00
Collecting pip-requirements-parser>=32.0.0 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading pip_requirements_parser-32.0.1-py3-none-any.whl (35 kB)
Collecting rich>=12.4 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading rich-13.3.5-py3-none-any.whl (238 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 238.7/238.7 kB 48.8 MB/s eta 0:00:00
Collecting toml>=0.10 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading toml-0.10.2-py2.py3-none-any.whl (16 kB)
Collecting requests (from CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading requests-2.30.0-py3-none-any.whl (62 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.5/62.5 kB 20.6 MB/s eta 0:00:00
Collecting msgpack>=0.5.2 (from CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading msgpack-1.0.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (316 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 316.8/316.8 kB 69.5 MB/s eta 0:00:00
Collecting lockfile>=0.9 (from CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading lockfile-0.12.2-py2.py3-none-any.whl (13 kB)
Collecting packageurl-python>=0.9 (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading packageurl_python-0.11.1-py3-none-any.whl (23 kB)
Requirement already satisfied: setuptools>=47.0.0 in /opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1)) (67.7.2)
Collecting sortedcontainers<3.0.0,>=2.4.0 (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading sortedcontainers-2.4.0-py2.py3-none-any.whl (29 kB)
Requirement already satisfied: six>=1.9 in /opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages (from html5lib>=1.1->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1)) (1.16.0)
Collecting webencodings (from html5lib>=1.1->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading webencodings-0.5.1-py2.py3-none-any.whl (11 kB)
Requirement already satisfied: pip in /opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages (from pip-api>=0.0.28->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1)) (23.0.1)
Collecting pyparsing (from pip-requirements-parser>=32.0.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading pyparsing-3.0.9-py3-none-any.whl (98 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 98.3/98.3 kB 34.1 MB/s eta 0:00:00
Collecting markdown-it-py<3.0.0,>=2.2.0 (from rich>=12.4->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading markdown_it_py-2.2.0-py3-none-any.whl (84 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 84.5/84.5 kB 31.5 MB/s eta 0:00:00
Collecting pygments<3.0.0,>=2.13.0 (from rich>=12.4->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading Pygments-2.15.1-py3-none-any.whl (1.1 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.1/1.1 MB 69.7 MB/s eta 0:00:00
Collecting mdurl~=0.1 (from markdown-it-py<3.0.0,>=2.2.0->rich>=12.4->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading mdurl-0.1.2-py3-none-any.whl (10.0 kB)
Collecting charset-normalizer<4,>=2 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (199 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 199.3/199.3 kB 58.7 MB/s eta 0:00:00
Collecting idna<4,>=2.5 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading idna-3.4-py3-none-any.whl (61 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.5/61.5 kB 19.5 MB/s eta 0:00:00
Collecting urllib3<3,>=1.21.1 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading urllib3-2.0.1-py3-none-any.whl (123 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 123.3/123.3 kB 40.8 MB/s eta 0:00:00
Collecting certifi>=2017.4.17 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
  Downloading certifi-2022.12.7-py3-none-any.whl (155 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 155.3/155.3 kB 44.4 MB/s eta 0:00:00
Installing collected packages: webencodings, sortedcontainers, msgpack, lockfile, urllib3, toml, pyparsing, pygments, pip-api, packaging, packageurl-python, mdurl, idna, html5lib, charset-normalizer, certifi, requests, pip-requirements-parser, markdown-it-py, cyclonedx-python-lib, rich, CacheControl, pip-audit
Successfully installed CacheControl-0.12.11 certifi-2022.12.7 charset-normalizer-3.1.0 cyclonedx-python-lib-2.7.1 html5lib-1.1 idna-3.4 lockfile-0.12.2 markdown-it-py-2.2.0 mdurl-0.1.2 msgpack-1.0.5 packageurl-python-0.11.1 packaging-23.1 pip-api-0.0.30 pip-audit-2.5.4 pip-requirements-parser-32.0.1 pygments-2.15.1 pyparsing-3.0.9 requests-2.30.0 rich-13.3.5 sortedcontainers-2.4.0 toml-0.10.2 urllib3-2.0.1 webencodings-0.5.1

Notice:  A new release of pip is available: 23.0.1 -> 23.1.2
Notice:  To update, run: pip install --upgrade pip
Run # NOTE: Sourced, not executed as a script.
  # NOTE: Sourced, not executed as a script.
  source "/home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/setup/venv.bash"
  
  /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/action.py ""
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    pythonLocation: /opt/hostedtoolcache/Python/3.10.11/x64
    PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.10.11/x64/lib/pkgconfig
    Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.11/x64
    Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.11/x64
    Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.11/x64
    LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.10.11/x64/lib
    GHA_PIP_AUDIT_SUMMARY: true
    GHA_PIP_AUDIT_NO_DEPS: false
    GHA_PIP_AUDIT_REQUIRE_HASHES: false
    GHA_PIP_AUDIT_VULNERABILITY_SERVICE: PyPI
    GHA_PIP_AUDIT_VIRTUAL_ENVIRONMENT: 
    GHA_PIP_AUDIT_LOCAL: false
    GHA_PIP_AUDIT_INDEX_URL: 
    GHA_PIP_AUDIT_EXTRA_INDEX_URLS: 
    GHA_PIP_AUDIT_IGNORE_VULNS: 
    GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_ALLOW_FAILURE: false
    GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG: false
    GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS: 
[Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
⚠️ pip-audit did not return any output
Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/__main__.py", line 8, in <module>
    audit()
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_cli.py", line 450, in audit
    for spec, vulns in auditor.audit(source):
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_audit.py", line 67, in audit
    for dep, vulns in self._service.query_all(specs):
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_service/interface.py", line 155, in query_all
    yield self.query(spec)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_service/pypi.py", line 61, in query
    response: requests.Response = self.session.get(url=url, timeout=self.timeout)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/sessions.py", line 600, in get
    return self.request("GET", url, **kwargs)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/sessions.py", line 745, in send
    r.content
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/models.py", line 899, in content
    self._content = b"".join(self.iter_content(CONTENT_CHUNK_SIZE)) or b""
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/models.py", line 816, in generate
    yield from self.raw.stream(chunk_size, decode_content=True)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 9[35](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:37), in stream
    data = self.read(amt=amt, decode_content=decode_content)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 874, in read
    data = self._raw_read(amt)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 809, in _raw_read
    data = self._fp_read(amt) if not fp_closed else b""
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 794, in _fp_read
    return self._fp.read(amt) if amt is not None else self._fp.read()
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/filewrapper.py", line 96, in read
    self._close()
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/filewrapper.py", line 76, in _close
    self.__callback(result)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/controller.py", line 3[53](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:55), in cache_response
    self._cache_set(cache_url, request, response, body, expires_time)
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/controller.py", line 274, in _cache_set
    self.serializer.dumps(request, response, body),
  File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/serialize.py", line [54](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:56), in dumps
    u"strict": response.strict,
AttributeError: 'HTTPResponse' object has no attribute 'strict'

Error: Process completed with exit code 1.

[woodruffw]

Thanks for the report @MichaelTiemannOSC! I'll look into this now.

[woodruffw]

Looks like this is a known incompatibility between CacheControl and requests, starting with 2.30: psf/cachecontrol#292

Transitive: psf/requests#6437

[woodruffw]

(Specifically, the subdep hop to urllib3 1->2 is probably the root cause.)

[woodruffw]

@MichaelTiemannOSC could you give the changes under the ww/pin-requests branch a try? They're available on #39.

That's my short-gap fix; if it works for you, I'll merge it and cut a point release.

Medium term, pip-audit itself will need a point release with the same or a similar version constraint.

[woodruffw]

Actual fix: pypa/pip-audit#605

[MichaelTiemannOSC]

Cool...trying to figure out how to do it now.

[woodruffw]

Cool...trying to figure out how to do it now.

You should have a line like this in one of your workflows:

- uses: pypa/[email protected]

you can temporarily change that to:

- uses: pypa/gh-action-pip-audit@ww/pin-requests

...and that'll give you the changes 🙂

[MichaelTiemannOSC]

Good news...the dependency audits are back to passing: os-climate/ITR#186

Now I just need to wait for the unit tests to work. Thanks so much!!

[woodruffw]

We've cut these changes with 1.0.7; thanks again @MichaelTiemannOSC for reporting!