Merge pull request #878 from pypa/ww/resource-warnings

Remove two groups of resource leaks

CHANGELOG.md

@@ -27,6 +27,8 @@ All versions prior to 0.0.9 are untracked.
 * Auditing a fully-pinned requirements file with `--disable-pip` now allows for
   duplicates, so long as the duplicates don't have conflicting specifier sets
   ([#749](https://github.com/pypa/pip-audit/pull/749))
+* Fixed two sources of unnecessary resource leaks when doing file I/O
+  ([#878](https://github.com/pypa/pip-audit/pull/878))
 
 ## [2.7.3]
 

pip_audit/_cli.py

@@ -209,7 +209,7 @@ def _parser() -> argparse.ArgumentParser:  # pragma: no cover
     dep_source_args.add_argument(
         "-r",
         "--requirement",
-        type=argparse.FileType("r"),
+        type=Path,
         metavar="REQUIREMENT",
         action="append",
         dest="requirements",
@@ -465,9 +465,12 @@ def audit() -> None:  # pragma: no cover
 
         source: DependencySource
         if args.requirements is not None:
-            req_files: list[Path] = [Path(req.name) for req in args.requirements]
+            for req in args.requirements:
+                if not req.exists():
+                    _fatal(f"invalid requirements input: {req}")
+
             source = RequirementSource(
-                req_files,
+                args.requirements,
                 require_hashes=args.require_hashes,
                 no_deps=args.no_deps,
                 disable_pip=args.disable_pip,

pip_audit/_subprocess.py

@@ -34,10 +34,6 @@ def run(args: Sequence[str], *, log_stdout: bool = False, state: AuditState = Au
     the process's `stdout` stream as a string.
     """
 
-    # Run the process with unbuffered I/O, to make the poll-and-read loop below
-    # more responsive.
-    process = Popen(args, bufsize=0, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-
     # NOTE(ww): We frequently run commands inside of ephemeral virtual environments,
     # which have long absolute paths on some platforms. These make for confusing
     # state updates, so we trim the first argument down to its basename.
@@ -47,22 +43,25 @@ def run(args: Sequence[str], *, log_stdout: bool = False, state: AuditState = Au
     stdout = b""
     stderr = b""
 
-    # NOTE: We use `poll()` to control this loop instead of the `read()` call
-    # to prevent deadlocks. Similarly, `read(size)` will return an empty bytes
-    # once `stdout` hits EOF, so we don't have to worry about that blocking.
-    while not terminated:
-        terminated = process.poll() is not None
-        stdout += process.stdout.read()  # type: ignore
-        stderr += process.stderr.read()  # type: ignore
-        state.update_state(
-            f"Running {pretty_args}",
-            stdout.decode(errors="replace") if log_stdout else None,
-        )
+    # Run the process with unbuffered I/O, to make the poll-and-read loop below
+    # more responsive.
+    with Popen(args, bufsize=0, stdout=subprocess.PIPE, stderr=subprocess.PIPE) as process:
+        # NOTE: We use `poll()` to control this loop instead of the `read()` call
+        # to prevent deadlocks. Similarly, `read(size)` will return an empty bytes
+        # once `stdout` hits EOF, so we don't have to worry about that blocking.
+        while not terminated:
+            terminated = process.poll() is not None
+            stdout += process.stdout.read()  # type: ignore
+            stderr += process.stderr.read()  # type: ignore
+            state.update_state(
+                f"Running {pretty_args}",
+                stdout.decode(errors="replace") if log_stdout else None,
+            )
 
-    if process.returncode != 0:
-        raise CalledProcessError(
-            f"{pretty_args} exited with {process.returncode}",
-            stderr=stderr.decode(errors="replace"),
-        )
+        if process.returncode != 0:
+            raise CalledProcessError(
+                f"{pretty_args} exited with {process.returncode}",
+                stderr=stderr.decode(errors="replace"),
+            )
 
     return stdout.decode("utf-8", errors="replace")