lively-dusk-46231
10/23/2022, 4:47 AMbandit
when debugging some version issues with pants
https://github.com/PyCQA/bandit/issues/960
Do you think it makes sense to change the default [bandit].version
from bandit<1.8,>=1.7.0
-> bandit<1.8,>=1.7.0,!=1.7.2
?
If yes - I can create an issue in githubenough-analyst-54434
10/23/2022, 6:18 AMbandit requires Python '>=3.7' but the running Python is 3.6.5
That's just bandit saying they dropped older Python support. Projects do this all the time. You might quibble that they should have only done this in a minor or major version bump and not in a patch version bump, but the ship has sailed.
bandit>=1.7.2
will simply never work for Python 3.6.lively-dusk-46231
10/23/2022, 7:01 AMpip3.6 install bandit
it is fetching bandit 1.7.2
If bandit 1.7.2 does not support py3.6
It should have fetched bandit=1.7.1
I expect pants to take bandit 1.7.1 if I have interpreter constraints as py3.6
When I tried it without pants, I saw the issue with even pip - pip3.6 should have taken bandit 1.7.1
Similar issues don't occur with other libraries.
If I do pip3.6 install flask
it installs the last known version of flask that works with py3.6enough-analyst-54434
10/23/2022, 12:22 PMRequires-Python
metadata.
Here's where PBR did the right things in setup.cfg
and setup.py
to drop support: https://github.com/PyCQA/bandit/pull/777
And here's the correct result:
unzip -qc bandit-1.7.2-py3-none-any.whl bandit-1.7.2.dist-info/METADATA | grep Requires-Python
Requires-Python: >=3.7
lively-dusk-46231
10/23/2022, 1:56 PMpip
directly - I can fix the issue by using ~21
Any way for me to check the pip version that pants is using ? I think it is creating a pex file based on my interpreter constraints ?enough-analyst-54434
10/23/2022, 1:57 PMlively-dusk-46231
10/23/2022, 1:59 PMenough-analyst-54434
10/23/2022, 2:10 PMlively-dusk-46231
10/23/2022, 2:20 PM$ cat pants.toml
[GLOBAL]
pants_version = "2.13.0"
backend_packages = [
"pants.backend.python",
"pants.backend.python.lint.bandit",
]
[python]
interpreter_constraints = ['CPython>=3.6,<4']
[bandit]
lockfile = 'bandit.lock'
$ cat BUILD
python_sources(name="root")
Now when I do:
./pants generate-lockfiles
It creates a lock file with bandit==1.7.2
Now when I run:
./pants lint ::
It raises:
Dependency on bandit not satisfied, 1 incompatible candidate found:
1.) bandit 1.7.2 (via: bandit<1.8,>=1.7.0) requires Python >=3.7
This is not the behavior I would have expected.
Shouldn't "something" have chosen bandit==1.7.1 in the lockfile to satisfy my interpreter constraints ?enough-analyst-54434
10/23/2022, 2:30 PMlively-dusk-46231
10/23/2022, 2:32 PM[bandit].version = 'bandit<1.8,>=1.7.0,!=1.7.2
- made it work (no clue why anymore).wide-midnight-78598
10/23/2022, 2:43 PMbitter-ability-32190
10/23/2022, 2:45 PMlively-dusk-46231
10/23/2022, 2:46 PM$ head -20 bandit.lock
// This lockfile was autogenerated by Pants. To regenerate, run:
//
// ./pants generate-lockfiles --resolve=bandit
//
// --- BEGIN PANTS LOCKFILE METADATA: DO NOT EDIT OR REMOVE ---
// {
// "version": 2,
// "valid_for_interpreter_constraints": [
// "CPython<4,>=3.6" <------------------------------------------ HERE?
// ],
// "generated_with_requirements": [
// "GitPython==3.1.18",
// "bandit<1.8,>=1.7.0",
// "setuptools"
// ]
// }
// --- END PANTS LOCKFILE METADATA ---
bitter-ability-32190
10/23/2022, 2:48 PMlively-dusk-46231
10/23/2022, 2:50 PM[python].interpreter_constraints = ['CPython>=3.7,<=3.8']
- makes it work (uses bandit 1.7.4)[python].interpreter_constraints = ['CPython>=3.6,<=3.7']
- FAILS (uses bandit 1.7.2 - which is meant for py37+)wide-midnight-78598
10/23/2022, 3:02 PMpython3.6 -m pip install bandit==1.7.2
do?lively-dusk-46231
10/23/2022, 3:31 PM$ ~/python36/bin/python -V
Python 3.6.5 :: Anaconda, Inc.
$ ~/python36/bin/python -m pip -V
pip 21.0.1
$ ~/python36/bin/python -m pip install bandit==1.7.2
ERROR: Package 'bandit' requires a different Python: 3.6.5 not in '>=3.7'
$ ~/python36/bin/python -m pip install 'bandit<=1.7.2'
Successfully installed bandit-1.7.1
System python in Ubuntu 18.04 (WSL2 in Windows 10):
$ /usr/bin/python3 -V
Python 3.6.9
$ /usr/bin/python3 -m pip -V
pip 9.0.1
$ /usr/bin/python3 -m pip install bandit==1.7.2
bandit requires Python '>=3.7' but the running Python is 3.6.9
$ /usr/bin/python3 -m pip install 'bandit<=1.7.2'
bandit requires Python '>=3.7' but the running Python is 3.6.9
enough-analyst-54434
10/23/2022, 4:23 PMRequires-Python >=3.5
.lively-dusk-46231
10/23/2022, 4:36 PMenough-analyst-54434
10/23/2022, 4:36 PMlively-dusk-46231
10/23/2022, 4:40 PMenough-analyst-54434
10/23/2022, 4:46 PM