woodruffw
commented
6 months ago Thanks for the report @cburroughs!
I agree that this warning and error combination are pretty confusing. I'll look at improving them.
Closed cburroughs closed 5 months ago
woodruffw
commented
6 months ago Thanks for the report @cburroughs!
I agree that this warning and error combination are pretty confusing. I'll look at improving them.
woodruffw
commented
6 months ago Root-causing:
--disable-pip turns off pip for dependency resolution. It requires that the input be a requirements file (but not necessarily hashed).--no-deps is one of two sufficient "activation" conditions for --disable-pip (the other being a fully hashed input file or --require-hashes).So: the cause of the confusion here is that --no-deps is sometimes redundant when used with --disable-pip, but not always. Specifically, it's only redundant when the input is fully hashed.
Given that, I think the right move here is to just remove the first warning.
@cburroughs can you confirm that the freeze.out you generated is not hashed?
woodruffw
commented
6 months ago I've opened #719 with the fix here.
cburroughs
commented
6 months ago @cburroughs can you confirm that the freeze.out you generated is not hashed?
Correct
$ head -2 freeze.out
acryl-datahub==0.12.0.5
acryl-datahub-classify==0.0.8Thanks. We'll get #719 merged and do a point release sometime soon after.
tetsuo-cpp
commented
5 months ago @cburroughs This is now available in v.2.6.3.
Bug description
Running with
pip-audit --no-deps --disable-pip -r freeze.outgives the warning:However, that advice leads to:
(Where
freeze.outis the output ofpip freeze)Reproduction steps
See above
Expected behavior
Following the advice from the WARNING doesn't lead to an ERROR.
Platform information
Linux le76 5.15.114-gentoo-x86_64pip-auditversion (pip-audit -V):pip-audit 2.6.2python -Vorpython3 -V):Python 3.10.13pipversion (pip -Vorpip3 -V):pip 23.3.2Additional context
I'm actually trying to audit a pex lock file which has all of the detailed per-platform hashes, but pip-audit doesn't know how to read that format (example.