Extension crash with: PackageNotFoundError: No package metadata was found for bandit

[PaulMarisOUMary]

Summary

Bandit extension for Visual Studio Code with default configuration crash with a PackageNotFoundError: No package metadata was found for bandit.

Steps to Reproduce

1. Install VSCode
2. Install the Bandit by PyCQA extension from marketplace
3. Ensure Python is selected as the interpreter
4. Open any .py file

Expected Behavior

The Bandit extension should use the bundled Bandit shipped with the extension, without requiring an external installation or package metadata.
Linter diagnostics should appear normally in VS Code.

Actual Behavior

The LSP server fails when trying to import the bundled Bandit package, raising a PackageNotFoundError.

As a result:

• No diagnostics/bandit analysis are generated
• The server repeatedly crashes

Environment

• Operating System: Windows 10 Pro, version Windows_NT x64 10.0.19045
• Visual Studio Code: 1.106.0-insider (user setup)
• Extension: pycqa.bandit-pycqa version 2025.14.0
• Python Version: Python 3.13.8 path C:\Program Files\Python313\python.exe
• Installed packages:

> pip freeze --all
pip==25.2

Traceback

2025-10-13 17:00:58.591 [info] Name: Bandit
2025-10-13 17:00:58.591 [info] Module: bandit
2025-10-13 17:00:58.591 [info] Python extension loading
2025-10-13 17:00:58.591 [info] Waiting for interpreter from python extension.
2025-10-13 17:00:58.595 [info] Python extension loaded
2025-10-13 17:00:58.631 [info] Server run command: c:\Program Files\Python313\python.exe c:\Users\[redacted]\.vscode-insiders\extensions\pycqa.bandit-pycqa-2025.14.0\bundled\tool\lsp_server.py
2025-10-13 17:00:58.632 [info] Server: Start requested.
2025-10-13 17:01:00.484 [info] CWD Server: c:\Users\[redacted]\Desktop\project
2025-10-13 17:01:00.484 [info] sys.path used to run Server:
   c:\Users\[redacted]\.vscode-insiders\extensions\pycqa.bandit-pycqa-2025.14.0\bundled\libs
   c:\Users\[redacted]\.vscode-insiders\extensions\pycqa.bandit-pycqa-2025.14.0\bundled\tool
   c:\Program Files\Python313\python313.zip
   c:\Program Files\Python313\DLLs
   c:\Program Files\Python313\Lib
   c:\Program Files\Python313
   c:\Program Files\Python313\Lib\site-packages
2025-10-13 17:01:00.484 [info] Settings used to run Server:
[
    {
        "enabled": true,
        "cwd": "c:\\Users\\[redacted]\\Desktop\\project",
        "workspace": "file:///c%3A/Users/[redacted]/Desktop/project",
        "args": [],
        "path": [],
        "interpreter": [
            "c:\\Program Files\\Python313\\python.exe"
        ],
        "importStrategy": "useBundled",
        "showNotifications": "off"
    }
]

2025-10-13 17:01:00.484 [info] Global settings:
{
    "cwd": "C:\\Users\\[redacted]\\AppData\\Local\\Programs\\Microsoft VS Code Insiders",
    "enabled": true,
    "workspace": "C:\\Users\\[redacted]\\AppData\\Local\\Programs\\Microsoft VS Code Insiders",
    "args": [],
    "path": [],
    "interpreter": [],
    "importStrategy": "useBundled",
    "showNotifications": "off"
}

2025-10-13 17:01:03.288 [info] [Trace - 5:01:03 PM] Sending notification 'textDocument/didOpen'.
2025-10-13 17:01:03.292 [info] [Trace - 5:01:03 PM] Sending request 'textDocument/codeAction - (1)'.
2025-10-13 17:01:03.293 [info] [Trace - 5:01:03 PM] Received notification 'window/logMessage'.
2025-10-13 17:01:03.293 [info] c:\Program Files\Python313\python.exe -m bandit --quiet --format=sarif c:\Users\[redacted]\Desktop\project\main.py
2025-10-13 17:01:03.300 [info] [Trace - 5:01:03 PM] Received notification 'window/logMessage'.
2025-10-13 17:01:03.300 [info] CWD Linter: c:\Users\[redacted]\Desktop\project
2025-10-13 17:01:04.673 [info] [Trace - 5:01:04 PM] Received notification 'window/logMessage'.
2025-10-13 17:01:04.673 [info] [Error - 5:01:04 PM] Traceback (most recent call last):
  File "c:\Program Files\Python313\Lib\importlib\metadata\__init__.py", line 407, in from_name
    return next(iter(cls.discover(name=name)))
StopIteration

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<frozen runpy>", line 131, in _get_module_details
  File "<frozen importlib.util>", line 91, in find_spec
  File "c:\Users\[redacted]\.vscode-insiders\extensions\pycqa.bandit-pycqa-2025.14.0\bundled\libs\bandit\__init__.py", line 19, in <module>
    __author__ = metadata.metadata("bandit")["Author"]
                 ~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "c:\Program Files\Python313\Lib\importlib\metadata\__init__.py", line 977, in metadata
    return Distribution.from_name(distribution_name).metadata
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
  File "c:\Program Files\Python313\Lib\importlib\metadata\__init__.py", line 409, in from_name
    raise PackageNotFoundError(name)
importlib.metadata.PackageNotFoundError: No package metadata was found for bandit

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "c:\Users\[redacted]\.vscode-insiders\extensions\pycqa.bandit-pycqa-2025.14.0\bundled\tool\lsp_server.py", line 449, in _run_tool_on_document
    result = utils.run_module(
        module=TOOL_MODULE,
    ...<3 lines>...
        source=document.source,
    )
  File "c:\Users\[redacted]\.vscode-insiders\extensions\pycqa.bandit-pycqa-2025.14.0\bundled\tool\lsp_utils.py", line 139, in run_module
    return _run_module(module, argv, use_stdin, source)
  File "c:\Users\[redacted]\.vscode-insiders\extensions\pycqa.bandit-pycqa-2025.14.0\bundled\tool\lsp_utils.py", line 128, in _run_module
    runpy.run_module(module, run_name="__main__")
    ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen runpy>", line 222, in run_module
  File "<frozen runpy>", line 148, in _get_module_details
  File "<frozen runpy>", line 140, in _get_module_details
ImportError: Error while finding module specification for 'bandit.__main__' (PackageNotFoundError: No package metadata was found for bandit)

2025-10-13 17:01:04.680 [info] [Trace - 5:01:04 PM] Received response 'textDocument/codeAction - (1)' in 1388ms.
2025-10-13 17:01:06.557 [info] [Trace - 5:01:06 PM] Sending request 'textDocument/codeAction - (2)'.
2025-10-13 17:01:06.561 [info] [Trace - 5:01:06 PM] Received response 'textDocument/codeAction - (2)' in 3ms.

Additional Context

Bandit VS Code extension bundles the library in bundled/libs using pip -t install.

importlib.metadata expects an installed package with a .dist-info folder containing metadata.

# C:\Users\[redacted]\.vscode-insiders\extensions\pycqa.bandit-pycqa-2025.14.0\bundled\libs\bandit\__init__.py L19

__author__ = metadata.metadata("bandit")["Author"]

(see also here)

[PaulMarisOUMary]

I can confirm this issue also occurs when building and installing the extension from main branch.

Steps to Reproduce

1. Create a virtual environment and install nox

   py -3 -m venv .venv
   .venv\Scripts\activate
   pip install nox

2. Clone and build the extension

   git clone https://github.com/PyCQA/vscode-bandit
   cd vscode-bandit
   nox --session setup
   nox --session build_package

3. Install the built VSIX

   code-insiders --install-extension .\bandit.vsix --profile [YourProfile]

4. Open Bandit output: Ctrl + Shift + P > Output: Show output Channels... > Bandit