-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running globally installed pip-audit from within a virtualenv produces unintuitive results #450
Comments
Agreed this is a bug on our side; IMO a warning probably makes the most sense for now (since implicitly jumping into a user's virtual environment with a globally installed package may also be surprising, and may not always function correctly). Longer term, we might want to support some kind of |
Just for visibility: the source of the unintuitive behavior here is the fact that This results in the following behavior:
|
Again for visibility: a temporary workaround for the unintuitive behavior is to set PIPAPI_PYTHON_LOCATION=$(which python) pip-audit |
Closes #450. Signed-off-by: William Woodruff <william@trailofbits.com>
* pip_audit, test: warn on Python path confusion Closes #450. Signed-off-by: William Woodruff <william@trailofbits.com> * pip_audit, test: refactor check to use VIRTUAL_ENV Signed-off-by: William Woodruff <william@trailofbits.com> * pip_audit: remove commented code Signed-off-by: William Woodruff <william@trailofbits.com> * pip_audit, test: lintage Signed-off-by: William Woodruff <william@trailofbits.com> * CHANGELOG: record changes Signed-off-by: William Woodruff <william@trailofbits.com> * _cache: Remove remaining "Warning" prefix in log line * _cli: refactor logging (#452) * _cli: refactor logging This is inspired by the refactor in sigstore/sigstore-python#372. Signed-off-by: William Woodruff <william@trailofbits.com> * README: update `pip-audit --help` Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com> * treewide: prep 2.4.11 (#453) Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alex Cameron <asc@tetsuo.sh>
Bug description
If you have a globally installed pip-audit (e.g. from
brew install pip-audit
), and then run it inside a virtualenv environment, the results are confusing.Reproduction steps
brew install pip-audit
python -m virtualenv venv
venv/bin/activate
pip-audit
Expected behavior
Either it scans the packages installed inside the virtual environment, or at least emits a warning or an error.
Platform information
pip-audit
version (pip-audit -V
): pip-audit 2.4.10python -V
orpython3 -V
): Python 3.10.9pip
version (pip -V
orpip3 -V
): pip 22.3.1 from /Users/alex_gaynor/projects/cryptography/.venv/lib/python3.10/site-packages/pip (python 3.10)The text was updated successfully, but these errors were encountered: