Vendored rich kind of depends on attrs #12612
Labels
project: vendored dependency
Related to a vendored dependency
type: security
Has potential security implications
Description
Observed while poetry appears to be running
pip
commands in parallel:Only
ImportError
is caught here in vendored rich which means that if attrs exists in some sort of half-importable form, it might generate other exceptions likeAttributeError
.This particular case was solved by retrying the build, but appears to have:
I'm mainly documenting that this exists, more than asking for it to be fixed (which I think would require making edits to the vendored code). I'm a little interested in whether pip is expected to be safe run concurrently on projects that it doesn't claim are deps.
Expected behavior
No response
pip version
24.0
Python version
3.9
OS
linux
How to Reproduce
pip install attrs
truncate -s 0 $(python -c 'import attrs.setters; print(attrs.setters.__file__))
pip install foo
Output
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: