CribberSix
commented
11 months ago Is this the same case as with the current urllib3 security advisory?
Open woodruffw opened 1 year ago
CribberSix
commented
11 months ago Is this the same case as with the current urllib3 security advisory?
woodruffw
commented
11 months ago Is this the same case as with the current urllib3 security advisory?
I'm not sure, you'll need to be more specific. Can you share the advisory ID?
Edit: and are you using pip-audit in "environment" mode?
CribberSix
commented
11 months ago ID: GHSA-v845-jxx5-vc9f
I suppose not, we are using it as a pre-commit hook without any args.
woodruffw
commented
11 months ago I suppose not, we are using it as a pre-commit hook without any args.
That's the environment mode 🙂
Could you try running with a requirements file or other dependency source instead, and seeing if this reproduces? This may indeed be a false positive from our own dependencies.
CribberSix
commented
11 months ago If I run pip_audit in my local venv (that I use during development - created by poetry), it doesn't flag the above id - it only flags some other ids which I expected (and ignore in the pre-commit hook).
So I guess that means it's not an issue with pip-audit itself, but with my pre-commit hook setup.
woodruffw
commented
11 months ago Yeah, that sounds likely. Are you using pre-commit to run other tasks that might pull urllib3 in?
CribberSix
commented
11 months ago Black/flake8/isort/bandit ... probably the culprit is there. Sorry to bother you with this! I suppose it's one of them. Disregard my comments :D
Raised by @esultanik.
We need to think a bit more about if/how we'd like to do this, but in terms of user experience: some users might find it confusing that running
pip-audit(i.e. bare, auditing the current environment) is also likely to auditpip-audit's own dependencies.This is confusing on two levels:
pip-auditwill occasionally produce findings on its own dependencies, like the recent security advisory onrequests.