Tempfiles are not working on Windows

[marickmanrho]

Bug description

On Windows, when pip-audit creates the virtual environment a permission error occurs. This is caused under the hood by a known bug in Python itself. However, there is a way to work around it (see the end of this issue report).

During the pip-audit process a virtual environment is created in a temporary folder. A temporary file created in this temp folder loses its permissions on Windows when it is closed (this doesn't happen in Unix). The pip install process opens and closes one or two temporary files several times during the installation process, and thus, permissions on the temp file are lost and Windows throws an error.

Reproduction steps

On windows for any python package:

pip-audit .

Expected behavior

Create virtual environment for auditing.

Screenshots and logs

The error message

ERROR:pip_audit._virtual_env:internal pip failure: ERROR: Could not open requirements file: [Errno 13] Permission denied: 'C:\\Users\\Manrho\\AppData\\Local\\Temp\\82\\tmpnmkebs43'

ERROR:pip_audit._cli: Failed to install packages: ['C:\\Users\\Manrho\\AppData\\Local\\Temp\\82\\tmp855pujcg\\Scripts''python.exe', ' -m', ' pip', ' install', ' --dry-run', '--report', 'C:\\Users\\Manrho\\AppData\\Local\\Temp\\82\\tmpm_c5v3cp', '-r', 'C:\\Users\\Manrho\\AppData\\Local\\Temp\\82\\tmpnmkebs43']

Platform information

• OS name and version: Windows Server 2019
• pip-audit version (pip-audit -V): 2.6.0
• Python version (python -V or python3 -V): 3.9.17
• pip version (pip -V or pip3 -V): 23.1.2

Additional context

An easy fix is to replace NamedTemporaryFile() to NamedTemporaryFile(delete=False) in the files _virtual_env.py and pip_audit/_dependency_source. However, this defeats the purpose of using NamedTemporaryFile as manual cleanup is needed.
The way to fix this is to avoid using the NamedTemporaryFile() context manager altogether.

[woodruffw]

Thanks for the detailed report @marickmanrho!

I think we had similar issues on Windows with the pip caching middleware: it also uses tempfiles, and had similar locking/permission problems.

I or someone else should have some free time to look into a fix soon; a PR would also be welcome 🙂

(IMO retaining the context manager and using delete=False would be fine for our purposes -- the manager still gives us the auto-closing behavior we want, and we do similar elsewhere in the codebase.)

[marickmanrho]

Hey @woodruffw, thanks for the quick reply. I opted to create a custom tempfile class to both close the file and remove it on context exit. See PR for details.

[woodruffw]

Thanks @marickmanrho! I'll have time to review this either today or early next week.