-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Poetry via poetry.lock
#84
Comments
Overall, I think Poetry users would probably be better served by a If that happens, we should probably explore renaming this to |
Or, spinning out generic functionality into |
This makes sense to me -- it looks like From there, |
I think we can definitely acquire |
I hoped to use pip-audit in our internal poetry-based project, but I can't without the support for poetry.lock (which, as you can see in the PR, is quite short). having |
I currently export from poetry to requirements.txt, then process the file:
But there is an issue (described in python-poetry/poetry-plugin-export#129 and python-poetry/poetry-plugin-export#157) when the requirements.txt file contains lines like this (I removed the hashes for readability):
pip-audit complains about duplicate requirements:
Note that the poetry team does not consider this as a bug in the Is there a workaround? Should I open a dedicated issue for that? |
see pypa/pip-audit#84 (comment) in particular
* chore: 🤖 ensure poetry uses the local python version * feat: 🎸 upgrade the dependencies of the libs also: use poetry 1.2.2, and replace safety with pip-audit * fix: 🐛 remove dependency to old pymongo[srv] version it's now included in mongoengine. we had to use this dependency to use mongo URL with "+srv" * feat: 🎸 upgrade all the other projects replacing safety with pip-audit, upgrading the dependencies, after rewriting poetry.lock with poetry 1.2 * feat: 🎸 upgrade docker images * chore: 🤖 upgrade poetry in dockerfiles * chore: 🤖 fix dependencies issues in workers * ci: 🎡 try to fix pip-audit see pypa/pip-audit#84 (comment) in particular * feat: 🎸 update docker images
Yeah, could you open a separate issue for that? We generally try to match the same restrictions that |
It would be great to have |
The latest version of see #564 |
I realize this is a somewhat complex issue but I was thinking that it might good to have at least some basic support because right now
That second case in particular seems like somewhat dangerous since it looks like it's doing something but it's only fixing the developer's local install, to the point where I think it might be preferable if I appreciate the challenge around supporting external tools like Poetry. Since #402 doesn't support the fix mode anyway, I was almost wondering whether it would make sense to only touch Poetry's external interface by using the output of |
Thanks for bringing this up @acdha! Long term, I think our plan is still to encourage this by devolving
I'm hesitant to do this: it requires us to shell out to a command that we don't actually have a dependency on. I don't know Poetry well enough to have a well-formed opinion here, but I'm also concerned that detecting based on In terms of nudging these users away from potentially misleading invocations, I'm thinking that maybe it makes sense to emit a warning on What do you think about that? That doesn't improve our support story, unfortunately, but it better clarifies what users should expect from |
That definitely makes sense – I appreciate the concerns about tighter coupling to someone else's project, especially since they rather disappointingly rejected the idea of including an The other related change I was thinking might be useful is making it clear what's being inspected – it seems a little too easy to run |
Strongly agreed! I'd prefer it go to Would you be interested in making a PR for that, along with a change to warn users about potentially unintuitive behavior when run on a Poetry-based project directory? No problem if not, I should have some free time to make these changes in the coming days. |
I’m a little busy this week but we could use that at work. Let me take a stab at it. |
* chore: 🤖 ensure poetry uses the local python version * feat: 🎸 upgrade the dependencies of the libs also: use poetry 1.2.2, and replace safety with pip-audit * fix: 🐛 remove dependency to old pymongo[srv] version it's now included in mongoengine. we had to use this dependency to use mongo URL with "+srv" * feat: 🎸 upgrade all the other projects replacing safety with pip-audit, upgrading the dependencies, after rewriting poetry.lock with poetry 1.2 * feat: 🎸 upgrade docker images * chore: 🤖 upgrade poetry in dockerfiles * chore: 🤖 fix dependencies issues in workers * ci: 🎡 try to fix pip-audit see pypa/pip-audit#84 (comment) in particular * feat: 🎸 update docker images
We habe the same issue. Any news here? |
I don't think so. My PR #402 is floating in space: |
This is so sad. |
For poetry projects, you have 2 options:
If poetry isn't a requirement, you can use pip-tools or uv to generate and manage a constraints.txt lock file from pyproject.toml-based projects (I personally use flit). It works great but requires a bit more boilerplate than poetry. The uv team is on their way to fix it, I'm looking forward to it. |
The statue quo is this:
TL;DR: @orsinium's recommendations are right: if you want to use this with Poetry or another non-standard Python packaging tool, you need to first export your dependencies into a format that the standard tools use: either a standard Alternatively, you can always run In the short term, there are two things that a contributor could do to help out here:
If anybody is interested in sending a PR for either of those, I would be happy to review it. |
@woodruffw Thank you for your explanation. That made many things much clearer. Could you explain, for general understanding, why pip-audit has a problem with these kinds of duplicate dependencies where one uses extras and the other does not? |
Breakout from #73.
The text was updated successfully, but these errors were encountered: