Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use pip's new --dry-run and --report flags #321

Closed
woodruffw opened this issue Jul 15, 2022 · 9 comments
Closed

Use pip's new --dry-run and --report flags #321

woodruffw opened this issue Jul 15, 2022 · 9 comments
Labels
enhancement New feature or request

Comments

@woodruffw
Copy link
Member

On sufficiently new pip versions (not yet released), these flags will allow us to punt all dependency resolution directly to pip and retrieve a corresponding JSON report.

pip-audit should detect and support these versions of pip, leveraging their "official" dependency resolution flow rather than our internal one.

See pypa/pip#10771.
@woodruffw woodruffw added the enhancement New feature or request label Jul 15, 2022
@woodruffw
Copy link
Member Author

Looks like pip 22.2 includes this functionality, meaning that we can use it now:

https://pip.pypa.io/en/stable/reference/installation-report/

@di
Copy link
Member

di commented Jul 21, 2022

Should most of this support happen in pip-api instead though?

@woodruffw
Copy link
Member Author

I think so, yeah -- I figure we'll probably want a pip_api.report API that mirrors the functionality.

@di
Copy link
Member

di commented Jul 21, 2022

Reminder that the goal of pip-audit is to be a drop-in replacement for pip's internal APIs. So whatever the function/API is that pip uses internally is what we should mimic in pip-api... I haven't looked but this is probably some type of install function instead.

@woodruffw
Copy link
Member Author

Whoops, you're right. I misread --report as a top-level flag on pip itself, not pip install --report.

@woodruffw woodruffw mentioned this issue Jul 21, 2022
Open
@woodruffw
Copy link
Member Author

Opened di/pip-api#153 on pip-api to track.

@pradyunsg
Copy link
Member

pradyunsg commented Jul 25, 2022
edited
Loading

FWIW, I wouldn’t bother with mirroring pip’s internals when using the installation report. pip-audit should be able to use the report format directly — when integrating into pip, it should be fairly straightforward to use the resolution report from within pip instead (or convert the objects into the relevant format). I’ll defer to you all for judging the right place to implement the subprocess call and JSON parse right now. :)

The point of the report flag (along with dry run) is to make developing such pieces of functionality easier, outside of pip without needing to reinvent aspects of it. FWIW, there’s also pip inspect, which should allow replacing all the introspection logic for venvs with a subprocess call + JSON parse as well.

@di
Copy link
Member

di commented Jul 25, 2022

Thanks @pradyunsg! Since the ultimate goal of pip-api is to get people to stop using pip's internal API by providing an equivalent API that wraps the CLI instead, it's important for pip-api to mimic that as much as possible.

Also, when integrating into pip, being able to easily replace calls to pip-api with calls from within pip should make integration easier -- but if I'm missing something, definitely let me know.

@woodruffw
Copy link
Member Author

This is done as of #523.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@di @woodruffw @pradyunsg