Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incompatibility with packaging>=22.0: cannot import name 'LegacyVersion' from 'packaging.version' #426

Closed
haydngreatnews opened this issue Dec 8, 2022 · 15 comments · Fixed by #427 or #429
Closed

Incompatibility with packaging>=22.0: cannot import name 'LegacyVersion' from 'packaging.version' #426

haydngreatnews opened this issue Dec 8, 2022 · 15 comments · Fixed by #427 or #429
Assignees
@tetsuo-cpp
Labels
bug Something isn't working

Comments

@haydngreatnews
Copy link
Contributor

Bug description

pip-audit is incompatible with latest version of packaging, due to removed LegacyVersion

Reproduction steps

  1. pip install pip-audit
  2. Check that packaging version is >= 22.0
  3. Run pip freeze | pip-audit --no-deps -r - to check the currently installed packages

Expected behavior

pip-audit installs a compatible version of packaging

Screenshots and logs

Traceback (most recent call last):
  File "/usr/local/bin/pip-audit", line 5, in <module>
    from pip_audit._cli import audit
  File "/usr/local/lib/python3.9/site-packages/pip_audit/_cli.py", line 17, in <module>
    from pip_audit._audit import AuditOptions, Auditor
  File "/usr/local/lib/python3.9/site-packages/pip_audit/_audit.py", line 10, in <module>
    from pip_audit._dependency_source import DependencySource
  File "/usr/local/lib/python3.9/site-packages/pip_audit/_dependency_source/__init__.py", line 14, in <module>
    from .requirement import RequirementSource
  File "/usr/local/lib/python3.9/site-packages/pip_audit/_dependency_source/requirement.py", line 19, in <module>
    from pip_requirements_parser import InstallRequirement, InvalidRequirementLine, RequirementsFile
  File "/usr/local/lib/python3.9/site-packages/pip_requirements_parser.py", line 73, in <module>
    from packaging.version import LegacyVersion
ImportError: cannot import name 'LegacyVersion' from 'packaging.version' (/usr/local/lib/python3.9/site-packages/packaging/version.py)

Platform information

  • OS name and version: docker, python:3.9-alpine
  • pip-audit version (pip-audit -V): 2.4.7
  • Python version (python -V or python3 -V): 3.9.15
  • pip version (pip -V or pip3 -V): 22.0.4
@haydngreatnews haydngreatnews added the bug-candidate Might be a bug. label Dec 8, 2022
@haydngreatnews haydngreatnews mentioned this issue Dec 8, 2022
Merged
tetsuo-cpp added a commit that referenced this issue Dec 8, 2022
@haydngreatnews @tetsuo-cpp
Set maximum version for packaging, which has removed LegacyVersion (#427
2128533 
)

* Set maximum version for packaging, which has removed LegacyVersion

pip-audit uses `packaging.version.LegacyVersion` to parse some version numbers, and this is removed in packaging 22.0 (pypa/packaging#407)

Closes #426

* test: Remove `pyparsing` as this is no longer a dependency of `packaging`

Co-authored-by: Alex Cameron <asc@tetsuo.sh>
@di
Copy link
Sponsor Member

di commented Dec 8, 2022

I think we might want to pursue dropping support for LegacyVersion instead? Going to reopen this to investigate.

@di di reopened this Dec 8, 2022
@di
Copy link
Sponsor Member

di commented Dec 8, 2022

(If this is due to vendored code from pip, we might want to do whatever pip is now doing instead).

@tetsuo-cpp
Copy link
Contributor

It's in pip-requirements-parser. I'm looking into it @di.

@woodruffw
Copy link
Member

woodruffw commented Dec 8, 2022
edited

It might also make sense to get a patch release out the door for #427, since pip install pip-audit is probably selecting the wrong packaging version currently.

Edit: Never mind, you read my mind 😅

@tetsuo-cpp tetsuo-cpp mentioned this issue Dec 8, 2022
Merged
@juanitosvq
Copy link

Thanks for the quick turnaround for this. Is there an estimate for when this PR #429 will be released?
Cheers,
Juan

@woodruffw
Copy link
Member

Thanks for the quick turnaround for this. Is there an estimate for when this PR #429 will be released?

We'll probably do it with the next bugfix release, which will most likely be after a fix for #433 is merged.

Are you currently experiencing breakage? Both pip-requirments-parser and the latest release of pip-audit (2.4.8) should already have fixes for this, via #427 🙂

@juanitosvq
Copy link

Not quite breakage, but due to how pipenv works (pypa/pipenv#5528 for more details and example), we have to pin the version of packaging explicitly in our main packages section until #429 is available, which is not very pretty.

@woodruffw woodruffw added bug Something isn't working and removed bug-candidate Might be a bug. labels Dec 14, 2022
@woodruffw
Copy link
Member

Got it, thanks for explaining! In that case we can push another patch out; I'll do that in a moment.

@woodruffw
Copy link
Member

#435 has the bump.

@woodruffw
Copy link
Member

Cut as 2.4.9. Thanks again!

@juanitosvq
Copy link

Thanks @woodruffw . Unfortunately, I was looking at the wrong PR and this new version of pip-audit still doesn't solve the issue we have with pipenv. We need this one nexB/pip-requirements-parser#10 so that pip-requirements-parser works with the new major version of packaging. Thanks though, I appreciate the assistance!

@juju4
Copy link

juju4 commented Dec 17, 2022

I believe that this is not fully solved as still getting error in my ansible role pipeline
https://github.com/juju4/ansible-cartography/actions/runs/3700467599/jobs/6311331036#step:7:795

  TASK [Pip-audit] ***************************************************************
  task path: /home/runner/work/ansible-cartography/ansible-cartography/juju4.cartography/molecule/default/verify.yml:107
  Saturday 17 December 2022  18:37:47 +0000 (0:00:05.678)       0:00:15.927 *****
  fatal: [instance]: FAILED! => {"changed": false, "cmd": ["pip-audit", "--path", "/usr/local"], "delta": "0:00:01.039309", "end": "2022-12-17 18:37:48.631440", "msg": "non-zero return code", "rc": 1, "start": "2022-12-17 18:37:47.592131", "stderr": "Traceback (most recent call last):\n  File \"/usr/local/bin/pip-audit\", line 5, in <module>\n    from pip_audit._cli import audit\n  File \"/usr/local/lib/python3.8/dist-packages/pip_audit/_cli.py\", line 17, in <module>\n    from pip_audit._audit import AuditOptions, Auditor\n  File \"/usr/local/lib/python3.8/dist-packages/pip_audit/_audit.py\", line 10, in <module>\n    from pip_audit._dependency_source import DependencySource\n  File \"/usr/local/lib/python3.8/dist-packages/pip_audit/_dependency_source/__init__.py\", line 14, in <module>\n    from .requirement import RequirementSource\n  File \"/usr/local/lib/python3.8/dist-packages/pip_audit/_dependency_source/requirement.py\", line 19, in <module>\n    from pip_requirements_parser import InstallRequirement, InvalidRequirementLine, RequirementsFile\n  File \"/usr/local/lib/python3.8/dist-packages/pip_requirements_parser.py\", line 73, in <module>\n    from packaging.version import LegacyVersion\nImportError: cannot import name 'LegacyVersion' from 'packaging.version' (/usr/local/lib/python3.8/dist-packages/packaging/version.py)", "stderr_lines": ["Traceback (most recent call last):", "  File \"/usr/local/bin/pip-audit\", line 5, in <module>", "    from pip_audit._cli import audit", "  File \"/usr/local/lib/python3.8/dist-packages/pip_audit/_cli.py\", line 17, in <module>", "    from pip_audit._audit import AuditOptions, Auditor", "  File \"/usr/local/lib/python3.8/dist-packages/pip_audit/_audit.py\", line 10, in <module>", "    from pip_audit._dependency_source import DependencySource", "  File \"/usr/local/lib/python3.8/dist-packages/pip_audit/_dependency_source/__init__.py\", line 14, in <module>", "    from .requirement import RequirementSource", "  File \"/usr/local/lib/python3.8/dist-packages/pip_audit/_dependency_source/requirement.py\", line 19, in <module>", "    from pip_requirements_parser import InstallRequirement, InvalidRequirementLine, RequirementsFile", "  File \"/usr/local/lib/python3.8/dist-packages/pip_requirements_parser.py\", line 73, in <module>", "    from packaging.version import LegacyVersion", "ImportError: cannot import name 'LegacyVersion' from 'packaging.version' (/usr/local/lib/python3.8/dist-packages/packaging/version.py)"], "stdout": "", "stdout_lines": []}

pip-audit is installed in previous task and is 2.4.10
failing in docker ubuntu 20.04
22.04 has no issue with 2.4.9

@woodruffw
Copy link
Member

@juju4 could you provide the result of pip list in your Ansible pipeline?

pip-audit==2.4.19 constrains pip-requirements-parser>=32.0.0, which in turn restricts its dependency on packaging to a version that is known to have LegacyVersion: nexB/pip-requirements-parser@f4ce171

@juju4
Copy link

juju4 commented Dec 18, 2022

From https://github.com/juju4/ansible-cartography/actions/runs/3726085523/jobs/6319299805#step:7:807
pip-audit 2.4.10, pip-requirements-parser 32.0.0 (ubuntu 20.04)
same on 22.04 which does not fail

@woodruffw
Copy link
Member

Earlier in your CI:

changed: [instance] => {"changed": true, "cmd": ["/usr/bin/python3", "-m", "pip.__main__", "install", "pip-audit"], "name": ["pip-audit"], "requirements": null, "state": "present", "stderr": "ERROR: pip-requirements-parser 32.0.0 has requirement packaging<22.0.0, but you'll have packaging 22.0 which is incompatible.\n", "stderr_lines": ["ERROR: pip-requirements-parser 32.0.0 has requirement packaging<22.0.0, but you'll have packaging 22.0 which is incompatible."],

so it sounds like your local dependency state is invalid: pip-audit is requesting a valid transitive version of packaging, but something else is installing a newer version. This isn't something we can really fix on our end: there's something else in your dependency tree or environment that's causing the incompatible resolution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tetsuo-cpp tetsuo-cpp

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
6 participants
@di @juju4 @haydngreatnews @woodruffw @tetsuo-cpp @juanitosvq