unsafe-package is not overriding the default list of packages

[mmerickel]

$ pip-compile --help
  --unsafe-package TEXT           Specify a package to consider unsafe; may be
                                  used more than once. Replaces default unsafe
                                  packages: distribute, pip, setuptools

Environment Versions

1. OS Type macos 13.0.1
2. Python version: 3.9.7
3. pip version: 22.3.1
4. pip-tools version: 6.11.0

Steps to replicate

1. define foo.in

pyramid

2. pip-compile --unsafe-package pip foo.in

Expected result

Pinned setuptools.

Actual result

Unpinned setuptools.

Below are the commands with and without --unsafe-package and note the output is the same.

❯ pip-compile foo.in
WARNING: using legacy resolver is deprecated and will be removed in future versions. The default resolver will be change to 'backtracking' in 7.0.0 version. Specify --resolver=backtracking to silence this warning.
#
# This file is autogenerated by pip-compile with Python 3.10
# by the following command:
#
#    pip-compile foo.in
#
hupper==1.10.3
    # via pyramid
pastedeploy==3.0.1
    # via plaster-pastedeploy
plaster==1.1.2
    # via
    #   plaster-pastedeploy
    #   pyramid
plaster-pastedeploy==1.0.1
    # via pyramid
pyramid==2.0
    # via -r foo.in
translationstring==1.4
    # via pyramid
venusian==3.0.0
    # via pyramid
webob==1.8.7
    # via pyramid
zope-deprecation==4.4.0
    # via pyramid
zope-interface==5.5.2
    # via pyramid

# The following packages are considered to be unsafe in a requirements file:
# setuptools

❯ pip-compile --unsafe-package pip foo.in
WARNING: using legacy resolver is deprecated and will be removed in future versions. The default resolver will be change to 'backtracking' in 7.0.0 version. Specify --resolver=backtracking to silence this warning.
#
# This file is autogenerated by pip-compile with Python 3.10
# by the following command:
#
#    pip-compile --unsafe-package=pip foo.in
#
hupper==1.10.3
    # via pyramid
pastedeploy==3.0.1
    # via plaster-pastedeploy
plaster==1.1.2
    # via
    #   plaster-pastedeploy
    #   pyramid
plaster-pastedeploy==1.0.1
    # via pyramid
pyramid==2.0
    # via -r foo.in
translationstring==1.4
    # via pyramid
venusian==3.0.0
    # via pyramid
webob==1.8.7
    # via pyramid
zope-deprecation==4.4.0
    # via pyramid
zope-interface==5.5.2
    # via pyramid

# The following packages are considered to be unsafe in a requirements file:
# setuptools

Note that if I use --allow-unsafe then everything ends up pinned, including pip in my env where pip gets included as well. Specifically pip-tools itself depends on pip so and we have pip-tools in one of our requirements files.

Also note that it says Python 3.10 was used which is incorrect. Opening a separate issue for this.

[atugushev]

That's a bug. Apparently we forgot to filter out customised unsafe packages in writer:

pip-tools/piptools/writer.py

Lines 202 to 206 in 6839a64

	unsafe_requirements = (
	{r for r in results if r.name in UNSAFE_PACKAGES}
	if not unsafe_requirements
	else unsafe_requirements
	)

[mmerickel]

Thank you @atugushev!

[atugushev]

Released as part of pip-tools 6.12.0. Thanks to @q0w!