pip, _fix: Implement --fix for PipSource
#212
Conversation
|
This is a proof-of-concept. There's a bit of cleanup and UX to figure out like how to notify users what upgrades took place. But this is the general idea I'm going for. It upgrades Flask 0.5 to Flask 1.0 successfully. The main deviation from what we discussed earlier is that instead of doing My reasoning behind this is that the latest version of a package can have a reported vulnerability so blindly doing @woodruffw and @di, what do you think about this approach? |
This reasoning makes sense to me, and the underlying algorithm makes sense to me as well! |
|
Overall structure looks good to me! In terms of notifying users, I was thinking that we'd amend our normal output. Without With In particular, both our columnar and JSON formats should support emitting a summary of the fixes performed (and those skipped, including the reason the fix failed). How does that sound? |
|
I agree we should apply the "minimum" fix here. Let's think about exit codes as well: should |
Yep, that's a good plan. In the interest of not letting this PR accumulate too much code, I'll make separate issues for these and follow up.
Yeah I agree with this. I think the exit codes should work differently with |
|
The CI breakage is due to #213 |
pip_audit/_dependency_source/pip.py
Outdated
| fix_cmd, check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL | ||
| ) | ||
| except subprocess.CalledProcessError as cpe: | ||
| raise PipSourceError( |
There was a problem hiding this comment.
Nitpick: we might want to consider creating a specialized DependencyFixError that each dependency source in turn specializes.
So the hierarchy would be: DependencySourceError -> DependencyFixError -> PipFixError | RequirementFixError.
|
LGTM overall! I'm going to make the exception refactor I mentioned in #212 (review) and then pull the trigger on this. |
### Added * CLI: The `--fix` flag has been added, allowing users to attempt to automatically upgrade any vulnerable dependencies to the first safe version available ([#212](pypa/pip-audit#212), [#222](pypa/pip-audit#222)) * CLI: The combination of `--fix` and `--dry-run` is now supported, causing `pip-audit` to perform the auditing step but not any resulting fix steps ([#223](pypa/pip-audit#223)) * CLI: The `--require-hashes` flag has been added which can be used in conjunction with `-r` to check that all requirements in the file have an associated hash ([#229](pypa/pip-audit#229)) * CLI: The `--index-url` flag has been added, allowing users to use custom package indices when running with the `-r` flag ([#238](pypa/pip-audit#238)) * CLI: The `--extra-index-url` flag has been added, allowing users to use multiple package indices when running with the `-r` flag ([#238](pypa/pip-audit#238)) ### Changed * `pip-audit`'s minimum Python version is now 3.7. * CLI: The default output format is now correctly pluralized ([#221](pypa/pip-audit#221)) * Output formats: The SBOM output formats (`--format=cyclonedx-xml` and `--format=cyclonedx-json`) now use CycloneDX [Schema 1.4](https://cyclonedx.org/docs/1.4/xml/) ([#216](pypa/pip-audit#216)) * Vulnerability sources: When using PyPI as a vulnerability service, any hashes provided in a requirements file are checked against those reported by PyPI ([#229](pypa/pip-audit#229)) * Vulnerability sources: `pip-audit` now uniques each result based on its alias set, reducing the amount of duplicate information in the default columnar output format ([#232](pypa/pip-audit#232)) * CLI: `pip-audit` now prints its output more frequently, including when there are no discovered vulnerabilities but packages were skipped. Similarly, "manifest" output formats (JSON, CycloneDX) are now emitted unconditionally ([#240](pypa/pip-audit#240)) ### Fixed * CLI: A regression causing excess output during `pip audit -r` was fixed ([#226](pypa/pip-audit#226))
Closes #82