Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
ResolutionImpossible with dataclasses==0.8 in requirements.txt
See original GitHub issueBug description
pip-audit fails with ResolutionImpossible when dataclasses==0.8 is in requirements.txt
Reproduction steps
Initialize a conda environment with pip-audit and dump its PIP packages into requirements.txt:
conda create -y -n testaudit -c conda-forge python=3.8 pip-audit=2.1.1
conda activate testaudit
python3 -m pip list --format freeze > requirements.txt
Running pip-audit without considering the requirements.txt file succeeds:
python3 -m pip_audit -f json
No known vulnerabilities found
{"dependencies": [{"name": "brotlipy", "version": "0.7.0", "vulns": []}, {"name": "cachecontrol", "version": "0.12.11", "vulns": []}, {"name": "certifi", "version": "2021.10.8", "vulns": []}, {"name": "cffi", "version": "1.15.0", "vulns": []}, {"name": "charset-normalizer", "version": "2.0.12", "vulns": []}, {"name": "cryptography", "version": "36.0.2", "vulns": []}, {"name": "cyclonedx-python-lib", "version": "2.3.0", "vulns": []}, {"name": "dataclasses", "version": "0.8", "vulns": []}, {"name": "html5lib", "version": "1.1", "vulns": []}, {"name": "idna", "version": "3.3", "vulns": []}, {"name": "importlib-metadata", "version": "4.11.3", "vulns": []}, {"name": "lockfile", "version": "0.12.2", "vulns": []}, {"name": "msgpack", "version": "1.0.3", "vulns": []}, {"name": "packageurl-python", "version": "0.9.9", "vulns": []}, {"name": "packaging", "version": "21.3", "vulns": []}, {"name": "pip", "version": "22.0.4", "vulns": []}, {"name": "pip-api", "version": "0.0.29", "vulns": []}, {"name": "pip-audit", "version": "2.1.1", "vulns": []}, {"name": "progress", "version": "1.6", "vulns": []}, {"name": "pycparser", "version": "2.21", "vulns": []}, {"name": "pyopenssl", "version": "22.0.0", "vulns": []}, {"name": "pyparsing", "version": "3.0.8", "vulns": []}, {"name": "pysocks", "version": "1.7.1", "vulns": []}, {"name": "requests", "version": "2.27.1", "vulns": []}, {"name": "resolvelib", "version": "0.8.1", "vulns": []}, {"name": "setuptools", "version": "62.1.0", "vulns": []}, {"name": "six", "version": "1.16.0", "vulns": []}, {"name": "toml", "version": "0.10.2", "vulns": []}, {"name": "types-setuptools", "version": "57.4.14", "vulns": []}, {"name": "types-toml", "version": "0.10.6", "vulns": []}, {"name": "typing-extensions", "version": "3.10.0.2", "vulns": []}, {"name": "urllib3", "version": "1.26.9", "vulns": []}, {"name": "webencodings", "version": "0.5.1", "vulns": []}, {"name": "wheel", "version": "0.37.1", "vulns": []}, {"name": "zipp", "version": "3.8.0", "vulns": []}], "fixes": []}
Running pip-audit on the requirements.txt exported above fails with ResolutionImpossible on dataclasses==0.8
python3 -m pip_audit -f json -r requirements.txt
Traceback (most recent call last):
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 348, in resolve
self._add_to_criteria(self.state.criteria, r, parent=None)
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 173, in _add_to_criteria
raise RequirementsConflicted(criterion)
resolvelib.resolvers.RequirementsConflicted: Requirements conflict: <Requirement('dataclasses==0.8')>
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/anaconda/envs/testaudit/lib/python3.8/runpy.py", line 194, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/anaconda/envs/testaudit/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/__main__.py", line 8, in <module>
audit()
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_cli.py", line 357, in audit
for (spec, vulns) in auditor.audit(source):
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_audit.py", line 66, in audit
for dep, vulns in self._service.query_all(specs):
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_service/interface.py", line 142, in query_all
for spec in specs:
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_dependency_source/requirement.py", line 98, in collect
for _, deps in self._resolver.resolve_all(iter(req_values)):
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_dependency_source/interface.py", line 87, in resolve_all
yield (req, self.resolve(req))
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/resolvelib.py", line 73, in resolve
result = self.resolver.resolve([req])
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 481, in resolve
state = resolution.resolve(requirements, max_rounds=max_rounds)
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 350, in resolve
raise ResolutionImpossible(e.criterion.information)
resolvelib.resolvers.ResolutionImpossible: [RequirementInformation(requirement=<Requirement('dataclasses==0.8')>, parent=None)]
For background, the goal is to audit all the conda environments on a machine. A new conda environment was created to host pip-audit without modifying existing conda environments. pip list is used in each conda environment to export the list of packages and this list is then audited by running pip-audit inside its own (isolated) conda environment. Not sure this is the best day to do it – this looked like the least invasive way. Maybe pip-audit could have an option to skip package resolution since pip list should have taken care of that already.
Expected behavior
pip-audit succeeds both when using requirements.txt and when not.
Screenshots and logs
Tail of logs when running pip-audit with --verbose:
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/dataclasses" in the cache
DEBUG:cachecontrol.controller:Returning cached permanent redirect response (ignoring date and etag information)
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/dataclasses/" in the cache
DEBUG:cachecontrol.controller:Current age based on date: 352
DEBUG:cachecontrol.controller:Freshness lifetime from max-age: 600
DEBUG:cachecontrol.controller:The response is "fresh", returning cached response
DEBUG:cachecontrol.controller:600 > 352
Traceback (most recent call last):
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 348, in resolve
self._add_to_criteria(self.state.criteria, r, parent=None)
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 173, in _add_to_criteria
raise RequirementsConflicted(criterion)
resolvelib.resolvers.RequirementsConflicted: Requirements conflict: <Requirement('dataclasses==0.8')>
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/anaconda/envs/testaudit/lib/python3.8/runpy.py", line 194, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/anaconda/envs/testaudit/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/__main__.py", line 8, in <module>
audit()
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_cli.py", line 357, in audit
for (spec, vulns) in auditor.audit(source):
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_audit.py", line 66, in audit
for dep, vulns in self._service.query_all(specs):
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_service/interface.py", line 142, in query_all
for spec in specs:
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_dependency_source/requirement.py", line 98, in collect
for _, deps in self._resolver.resolve_all(iter(req_values)):
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_dependency_source/interface.py", line 87, in resolve_all
yield (req, self.resolve(req))
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/resolvelib.py", line 73, in resolve
result = self.resolver.resolve([req])
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 481, in resolve
state = resolution.resolve(requirements, max_rounds=max_rounds)
File "/anaconda/envs/testaudit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 350, in resolve
raise ResolutionImpossible(e.criterion.information)
resolvelib.resolvers.ResolutionImpossible: [RequirementInformation(requirement=<Requirement('dataclasses==0.8')>, parent=None)]
Platform information
- OS name and version: Linux Ubuntu 18.04.6 LTS
pip-auditversion (pip-audit -V): 2.1.1- Python version (
python -Vorpython3 -V): 3.8.13 pipversion (pip -Vorpip3 -V): 22.0.4condaversion: 4.12.0
Issue Analytics
- State:
- Created a year ago
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Pipenv lock -r produces invalid requirements file for pip 20.3.1 ...
1 using pip install -r requirements.txt a ResolutionImpossible error is raised. The same requirements file can be successfully installed using ...
Read more >python pip trouble installing from requirements.txt
UPDATE: This command upgrades all packages that have been explicitly listed in your requirements.txt file. Your requirements.txt file is just a list of...
Read more >Getting Error while running pip install -r requirements.txt after ...
The course has been tested with Python 3.8 and this error usually happens when using an earlier/later version since the package gets deprecated ......
Read more >Dependency Resolution - pip documentation v22.3.1
As a first step, it is useful to audit your project and remove any unnecessary or out of date requirements (e.g. from your...
Read more >RROR: No matching distribution found for dataclasses==0.8
The module dataclasses==0.8 requires 3.6. I don't see any … ... [manager] Python dependencies were installed from requirements.txt using pip.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
An option to disable dependency resolution would be great. Here is the
requirement.txtassociated with the setup above:And minimal
requirements.txt:It looks like this is by-design in conda where
dataclasseshas been special-cased and the package is conda-only for Python >= 3.7: https://conda-forge.org/docs/maintainer/knowledge_base.html#empty-python-packages . Treating as dupe of #168 .