-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to skip dependencies with empty PyPI listing. #211
Conversation
Overall structure looks good here, thanks! FWIW, I agree with the comment you left on #210 (comment): a separate cc @di for signoff: I think this is also a reasonable solution to #209 that won't be overly invasive. |
I'm working to update the PR. I may have to tweak it a bit. Where the exception is handled now, the top-level package (e.g. django-admin-inline-paginator) will be marked as skipped, while we only want to skip the dependency that had no links (e.g. pkg_resources). Also, the name of the flag needs to be updated to reflect its effects. I was thinking to make it |
In the end, I had to take a slightly more complicated approach. Because resolvelib doesn't have provisions for changing it's behaviour when we feed it with an empty dependency list to choose from, I resorted to feeding it with a fake candidate, and then handling the fake appropriately, before and after resolvelib is invoked. I have added a new exception that will be thrown if the new flag is not specified and an empty PyPI listing occurs. This is mostly informational, to tell apart from a generic I have checked with the test case of #197 (where the cause of failure is different), and the two cases are not confused. I.e. #197 will still throw the same error even when
|
A notable case of this is pkg_resources==0.0.0 which is installed by Debian's pip distribution. Currently resolvelib does not support skipping a dependency when presented with an empty candidates list for it. So, the only viable way to achieve the desired effect is to inject a fake candidate to make resolvelib happy, and add appropriate handling code for it on the pip-audit side. Exposed to cli via the --skip-empty flag.
Some thoughts: While this works for the narrow case of I think this change would make sense if we made it more generalizable as an option to skip resolution for any dependency that isn't resolvable for whatever reason. We would still check if there is a known vulnerability or not, but wouldn't attempt to continue resolution for it. This would be similar to #139, #145, #162, etc. |
Sounds reasonable. I'll update the PR within the next few days. |
Sorry for the delay. I'm in the middle of moving to a new place, so my free time is less than expected. I will pick this up the soonest possible. |
I'm going to close this for now, but feel free to start a new PR if you are able to revisit! |
Adds a cli and resolvelib option to allow pip-audit continue running when resolvelib deems a package as unresolvable.
This notably happens when a package links page exists, but is empty (e.g. https://pypi.org/simple/pkg_resources/).
Fixes #210.
Nit: Avoid redirection from https://pypi.org/simple/PROJECT to https://pypi.org/simple/PROJECT/.