Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requirement: Improve error message for unpinned URL requirements #355

Merged
merged 5 commits into from
Aug 26, 2022
Merged

requirement: Improve error message for unpinned URL requirements #355

merged 5 commits into from
Aug 26, 2022

Conversation

tetsuo-cpp
Copy link
Contributor

Closes #354

@tetsuo-cpp tetsuo-cpp added enhancement New feature or request component:dep-sources Dependency sources labels Aug 24, 2022
@tetsuo-cpp
Copy link
Contributor Author 

(env) tetsuo@Alexs-MacBook-Pro pip-audit % pip-audit -r requirements.txt --no-deps
WARNING:pip_audit._cli:--no-deps is supported, but users are encouraged to fully hash their pinned dependencies
WARNING:pip_audit._cli:Consider using a tool like `pip-compile`: https://pip-tools.readthedocs.io/en/latest/#using-hashes
Traceback (most recent call last):
  File "/Users/tetsuo/Code/pip-audit/env/bin/pip-audit", line 8, in <module>
    sys.exit(audit())
  File "/Users/tetsuo/Code/pip-audit/pip_audit/_cli.py", line 432, in audit
    for (spec, vulns) in auditor.audit(source):
  File "/Users/tetsuo/Code/pip-audit/pip_audit/_audit.py", line 66, in audit
    for dep, vulns in self._service.query_all(specs):
  File "/Users/tetsuo/Code/pip-audit/pip_audit/_service/interface.py", line 150, in query_all
    for spec in specs:
  File "/Users/tetsuo/Code/pip-audit/pip_audit/_dependency_source/requirement.py", line 120, in collect
    for _, dep in self._collect_cached_deps(filename, reqs):
  File "/Users/tetsuo/Code/pip-audit/pip_audit/_dependency_source/requirement.py", line 318, in _collect_cached_deps
    for req, dep in self._collect_preresolved_deps(
  File "/Users/tetsuo/Code/pip-audit/pip_audit/_dependency_source/requirement.py", line 265, in _collect_preresolved_deps
    raise RequirementSourceError(
pip_audit._dependency_source.requirement.RequirementSourceError: requirement de-core-news-sm is not pinned, URL requirements must be pinned with #egg=your_package_name==your_package_version: de-core-news-sm from https://github.com/explosion/spacy-models/releases/download/de_core_news_sm-3.2.0/de_core_news_sm-3.2.0.tar.gz#egg=de-core-news-sm (from RequirementLine(line_number=1, line='https://github.com/explosion/spacy-models/releases/download/de_core_news_sm-3.2.0/de_core_news_sm-3.2.0.tar.gz#egg=de-core-news-sm', filename=PosixPath('requirements.txt')))

woodruffw
woodruffw approved these changes Aug 26, 2022
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@woodruffw woodruffw enabled auto-merge (squash) August 26, 2022 08:56
@woodruffw woodruffw merged commit 7773da8 into main Aug 26, 2022
@woodruffw woodruffw deleted the alex/unpinned-url-requirement branch August 26, 2022 08:58
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Sep 9, 2022
@0-wiz-0
py-pip-audit: update to 2.4.4.
9a87ee0 
## [2.4.4]

### Changed

* `pip-audit` is now a PyPA member project, and lives under
  [`pypa/pip-audit`](https://github.com/pypa/pip-audit)!

* Improved error message for when unpinned URL requirements are found during an
  audit with the `--no-deps` flag
  ([#355](pypa/pip-audit#355))

### Fixed

* Fixed an issue where packages on PyPI with no published versions trigger a
  dependency resolution failure instead of being skipped
  ([#357](pypa/pip-audit#357))

* Fixed an incorrect assertion triggering for non-editable URL requirements that
  don't have an egg fragment
  ([#359](pypa/pip-audit#359))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees
No one assigned
Labels
component:dep-sources Dependency sources enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cannot audit requirements.txt containing URL dependencies
2 participants
@tetsuo-cpp @woodruffw