Use `pip`'s new `--dry-run` and `--report` flags

[woodruffw]

On sufficiently new pip versions (not yet released), these flags will allow us to punt all dependency resolution directly to pip and retrieve a corresponding JSON report.

pip-audit should detect and support these versions of pip, leveraging their "official" dependency resolution flow rather than our internal one.

See pypa/pip#10771.

[woodruffw]

Looks like pip 22.2 includes this functionality, meaning that we can use it now:

https://pip.pypa.io/en/stable/reference/installation-report/

[di]

Should most of this support happen in pip-api instead though?

[woodruffw]

I think so, yeah -- I figure we'll probably want a pip_api.report API that mirrors the functionality.

[di]

Reminder that the goal of pip-audit is to be a drop-in replacement for pip's internal APIs. So whatever the function/API is that pip uses internally is what we should mimic in pip-api... I haven't looked but this is probably some type of install function instead.

[woodruffw]

Whoops, you're right. I misread --report as a top-level flag on pip itself, not pip install --report.

[woodruffw]

Opened di/pip-api#153 on pip-api to track.

[pradyunsg]

FWIW, I wouldn’t bother with mirroring pip’s internals when using the installation report. pip-audit should be able to use the report format directly — when integrating into pip, it should be fairly straightforward to use the resolution report from within pip instead (or convert the objects into the relevant format). I’ll defer to you all for judging the right place to implement the subprocess call and JSON parse right now. :)

The point of the report flag (along with dry run) is to make developing such pieces of functionality easier, outside of pip without needing to reinvent aspects of it. FWIW, there’s also pip inspect, which should allow replacing all the introspection logic for venvs with a subprocess call + JSON parse as well.

[di]

Thanks @pradyunsg! Since the ultimate goal of pip-api is to get people to stop using pip's internal API by providing an equivalent API that wraps the CLI instead, it's important for pip-api to mimic that as much as possible.

Also, when integrating into pip, being able to easily replace calls to pip-api with calls from within pip should make integration easier -- but if I'm missing something, definitely let me know.

[woodruffw]

This is done as of #523.