Closed cburroughs closed 5 months ago
Thanks for the report @cburroughs!
I agree that this warning and error combination are pretty confusing. I'll look at improving them.
Root-causing:
--disable-pip
turns off pip
for dependency resolution. It requires that the input be a requirements file (but not necessarily hashed).--no-deps
is one of two sufficient "activation" conditions for --disable-pip
(the other being a fully hashed input file or --require-hashes
).So: the cause of the confusion here is that --no-deps
is sometimes redundant when used with --disable-pip
, but not always. Specifically, it's only redundant when the input is fully hashed.
Given that, I think the right move here is to just remove the first warning.
@cburroughs can you confirm that the freeze.out
you generated is not hashed?
I've opened #719 with the fix here.
@cburroughs can you confirm that the freeze.out you generated is not hashed?
Correct
$ head -2 freeze.out
acryl-datahub==0.12.0.5
acryl-datahub-classify==0.0.8
Thanks. We'll get #719 merged and do a point release sometime soon after.
@cburroughs This is now available in v.2.6.3.
Bug description
Running with
pip-audit --no-deps --disable-pip -r freeze.out
gives the warning:However, that advice leads to:
(Where
freeze.out
is the output ofpip freeze
)Reproduction steps
See above
Expected behavior
Following the advice from the WARNING doesn't lead to an ERROR.
Platform information
Linux le76 5.15.114-gentoo-x86_64
pip-audit
version (pip-audit -V
):pip-audit 2.6.2
python -V
orpython3 -V
):Python 3.10.13
pip
version (pip -V
orpip3 -V
):pip 23.3.2
Additional context
I'm actually trying to audit a pex lock file which has all of the detailed per-platform hashes, but pip-audit doesn't know how to read that format (example.