Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

requirement, test: Correct --fix for subdependencies in requirements files #297

Merged
merged 17 commits into from
Jun 15, 2022

Conversation

tetsuo-cpp
Copy link
Contributor

@tetsuo-cpp tetsuo-cpp commented Jun 14, 2022

Closes #291

  • Figure out test failure on 3.10
  • CHANGELOG

@tetsuo-cpp tetsuo-cpp requested review from woodruffw and di June 14, 2022 15:58
@tetsuo-cpp
Copy link
Contributor Author

Hmm, the tests seem to be failing to install requests in temporary virtual env in 3.10. I'll look into this tomorrow. I think the approach is still fine though.

@tetsuo-cpp tetsuo-cpp requested a review from woodruffw June 15, 2022 14:21
CHANGELOG.md Outdated Show resolved Hide resolved
@woodruffw woodruffw self-assigned this Jun 15, 2022
@woodruffw woodruffw added component:cli CLI components component:dep-sources Dependency sources component:fixes Automatic fixing and removed component:dep-sources Dependency sources labels Jun 15, 2022
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw merged commit 05bfaf1 into main Jun 15, 2022
@woodruffw woodruffw deleted the alex/requirements-fix-subdep branch June 15, 2022 19:37
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jul 3, 2022
## [2.3.4]

### Fixed

* Vulnerability fixing: the `--fix` flag now works for vulnerabilities found in
  requirement subdependencies. A new line is now added to the requirement file
  to explicitly pin the offending subdependency
  ([#297](pypa/pip-audit#297))

## [2.3.3]

### Changed

* CLI: `pip-audit` now warns on the combination of `-s osv` and
  `--require-hashes`, notifying users that only the PyPI service
  can fully verify hashes
  ([#298](pypa/pip-audit#298))

### Fixed

* CLI/Dependency sources: `--cache-dir=...` and other flags that affect
  dependency resolver behavior now work correctly when auditing a
  `pyproject.toml` dependency source
  ([#300](pypa/pip-audit#300))

## [2.3.2] - 2022-05-14

### Changed

* CLI: `pip-audit`'s progress spinner has been refactored to make it
  faster and more responsive
  ([#283](pypa/pip-audit#283))

* CLI, Vulnerability sources: the error message used to report
  connection failures to vulnerability sources was improved
  ([#287](pypa/pip-audit#287))

* Vulnerability sources: the OSV service is now more resilient
  to schema changes ([#288](pypa/pip-audit#288))

* Vulnerability sources: the PyPI service provides a better
  error message during some cases of service degradation
  ([#294](pypa/pip-audit#294))

### Fixed

* Vulnerability sources: a bug stemming from an incorrect assumption
  about OSV's schema guarantees was fixed
  ([#284](pypa/pip-audit#284))

* Caching: `pip-audit` now respects `pip`'s `PIP_NO_CACHE_DIR`
  and will not attempt to use the `pip` cache if present
  ([#290](pypa/pip-audit#290))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component:cli CLI components component:fixes Automatic fixing
Projects
None yet
Development

Successfully merging this pull request may close these issues.

The --fix flag doesn't work for dependencies of top-level requirements
2 participants