Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pip's dependency resolver error #1130

Open
Ana06 opened this issue Sep 3, 2024 · 2 comments
Open

pip's dependency resolver error #1130

Ana06 opened this issue Sep 3, 2024 · 2 comments
Assignees
Labels
🐛 bug Something isn't working

Comments

@Ana06
Copy link
Member

Ana06 commented Sep 3, 2024

Details

Both locally and in daily CI, I see the following error in the log:

2024/09/03 09:29:54 [installer.vm] chocolateyinstall.ps1 [+] ERROR : Failed to install: magika.vm
2024/09/03 09:29:54 [installer.vm] chocolateyinstall.ps1 [+] ERROR : Failed to install: malware-jail.vm

It seems to be caused by:

ERROR: ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.

The tools appear to be installed correctly. So this is very confusing and should investigate how to fix it.

@emtuls
Copy link
Member

emtuls commented Nov 8, 2024

NOTE: This is actually 2 separate issues. One for magika and separate issue affecting malware-jail.

This specific pip issue is mostly due to our installation of Python tools being installed separately and thus, Python's dependency resolver is unable to properly satisfy any dependency issues, which is what is displaying the error.

The primary underlying issue is that magika version 0.5.1 had an error in their code that was recently fixed in 0.6.0rc1 (currently unreleased on pypi) which is what made numpy version >=1.26 be required even for Python version <3.12 when it should have only needed >=1.24: google/magika@ebac72a

And because we have other python tools installed via libraries.python3.vm, their dependencies are not checked against this and thus more specifically we run into an issue because StringSifter requires numpy==1.24.4: https://github.com/mandiant/stringsifter/blob/33c0cd5538bf4dc499505b63f89bc045b191a0df/requirements.txt#L110
So when numpy is updated to 1.26 because of magika, we get an error:

ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
stringsifter 3.20230711 requires numpy==1.24.4, but you have numpy 1.26.4 which is incompatible.

image

This can be resolved immediately by just using magika version 0.5.0, and should hopefully be resolved when version 0.6.0 is officially released.

The second issue is that malware-jail has not been updated in a long time, and thus many packages it uses are deprecated, which in turn raises WARN issues within npm, causing the package to seem to "fail":
image

@Ana06
Copy link
Member Author

Ana06 commented Nov 22, 2024

Thanks for the research @emtuls!

@emtuls what about updating (via PR to malware-jail or requesting an update sending an issue linking this issue) the packages inmalware-jail? Can you take care of this?

I think using a fixed version of magika is also a good idea. Could you update our package @emtuls ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🐛 bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants