_dependency_source, _cli, test: Do not override pip.conf unless explicitly specified via flags
#565
Conversation
| @@ -286,7 +285,6 @@ def _parser() -> argparse.ArgumentParser: # pragma: no cover | |||
| type=str, | |||
| help="base URL of the Python Package Index; this should point to a repository compliant " | |||
| "with PEP 503 (the simple repository API)", | |||
| default=PYPI_URL, | |||
There was a problem hiding this comment.
I think we want to keep this default in the CLI -- behaviorally it should remain the default, and having it appear as such in the --help render makes for a nicer UX 🙂
There was a problem hiding this comment.
So leaving this as the default means that it will always be explicitly passed to the pip install CLI, which results in the index-url specified in the pip.conf being ignored. I understand that it makes for a more friendly UX to specify as such, but would it be reasonable to convey that the url will be resolved by pip if not passed by the user explicitly?
If this is a deal breaker though, then I'll have to dig deeper into pip to determine how it is performing the index-url resolution.
There was a problem hiding this comment.
So leaving this as the default means that it will always be explicitly passed to the
pip installCLI, which results in theindex-urlspecified in thepip.confbeing ignored. I understand that it makes for a more friendly UX to specify as such, but would it be reasonable to convey that the url will be resolved bypipif not passed by the user explicitly?
That sounds reasonable to me!
| self, filename: Path, index_urls: list[str] = [PYPI_URL], state: AuditState = AuditState() | ||
| self, | ||
| filename: Path, | ||
| index_url: str = "", |
There was a problem hiding this comment.
Similar typestate nit here: maybe drop the default "" here (or make it PYPI_URL), since we always expect a valid URL?
There was a problem hiding this comment.
Sorry, this was a misunderstanding on my part! I think we want this to be:
| index_url: str = "", | |
| index_url: str | None = None, |
There was a problem hiding this comment.
Yep, I'd prefer this too.
| @@ -47,7 +46,8 @@ def __init__( | |||
| require_hashes: bool = False, | |||
| no_deps: bool = False, | |||
| skip_editable: bool = False, | |||
| index_urls: list[str] = [PYPI_URL], | |||
| index_url: str = "", | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
| index_url: str = "", | |
| index_url: str | None = None, |
pip_audit/_virtual_env.py
Outdated
| @@ -44,7 +43,8 @@ class VirtualEnv(venv.EnvBuilder): | |||
| def __init__( | |||
| self, | |||
| install_args: list[str], | |||
| index_urls: list[str] = [PYPI_URL], | |||
| index_url: str = "", | |||
There was a problem hiding this comment.
Oh, this explains it! Rather than using an empty string as falsey, let's make this an optional type:
| index_url: str = "", | |
| index_url: str | None = None, |
...since that'll better convey the valid states here.
|
Thanks a ton for opening this, @philblckwd! This looks great to me structurally; just a few small nitpicks 🙂 |
woodruffw
added
enhancement
|
(This also needs a |
|
I'm also happy with where this is at. Once the help text is amended and those type state related comments are addressed, this should be good to go. Thanks again for your work. We really appreciate it. |
|
@philblckwd One more thing. We have a check in CI to ensure that the help text that we display in the README is up to date. So once you've amended the help text for |
… defined in 'pip.conf' unless explicitly specified via flags.
philblckwd
force-pushed
the
feature/index-url-usage
branch
from
1308173
to
e01b2f3
Compare
|
Per feedback:
|
This reverts commit 54d7ce9.
tetsuo-cpp
changed the title
pip.conf unless explicitly specified via flags
|
I'll merge this shortly after I've done a bit of testing locally. |
|
Thanks @philblckwd! |
## [2.5.4] ### Changed * Refactored `index-url` option to not override user pip config by default, unless specified ([#565](pypa/pip-audit#565)) ### Fixed * Fixed bug with the `--fix` flag where new requirements were sometimes being appended to requirement files instead of patching the existing requirement ([#577](pypa/pip-audit#577)) * Fixed a crash caused by auditing requirements files that refer to other requirements files ([#568](pypa/pip-audit#568)) ## [2.5.3] ### Changed * Further simplified `pip-audit`'s dependency resolution to remove inconsistent behaviour when using hashed requirements or the `--no-deps` flag ([#540](pypa/pip-audit#540)) ### Fixed * Fixed a crash caused by invalid UTF-8 sequences in subprocess outputs ([#572](pypa/pip-audit#572)) ## [2.5.2] ### Fixed * Fixed a loose dependency constraint for CycloneDX SBOM generation ([#558](pypa/pip-audit#558))
Refactor index-url and extra-index-url options to not override config defined in 'pip.conf' unless explicitly specified via flags.
Closes #563