Fix adds a fixed dependency in files where there is no original one

[q0w]

Bug description

Fix (--fix) adds a fixed dependency in files where there is no original one.

Reproduction steps

echo httpx==0.13.3 > a.in
echo astpretty > b.in
pip-compile a.in --allow-unsafe --generate-hashes --resolver=backtracking
pip-compile b.in --allow-unsafe --generate-hashes --resolver=backtracking
pip-audit -r a.txt -r b.txt --fix --no-deps

b.txt output before

#
# This file is autogenerated by pip-compile with Python 3.11
# by the following command:
#
#    pip-compile --allow-unsafe --generate-hashes --resolver=backtracking b.in
#
astpretty==3.0.0 \
    --hash=sha256:15bfd47593667169485a1fa7938b8de9445b11057d6f2b6e214b2f70667f94b6 \
    --hash=sha256:b08c95f32e5994454ea99882ff3c4a0afc8254c38998a0ed4b479dba448dc581
    # via -r b.in

b.txt output now

#
# This file is autogenerated by pip-compile with Python 3.11
# by the following command:
#
#    pip-compile --allow-unsafe --generate-hashes --resolver=backtracking b.in
#
astpretty==3.0.0 \
    --hash=sha256:15bfd47593667169485a1fa7938b8de9445b11057d6f2b6e214b2f70667f94b6 \
    --hash=sha256:b08c95f32e5994454ea99882ff3c4a0afc8254c38998a0ed4b479dba448dc581
# via -r b.in
    # pip-audit: subdependency explicitly fixed
httpx==0.23.0

Expected behavior

Fixed httpx version should not be added in b.txt, only in a.txt where it was originally

Screenshots and logs

Platform information

• OS name and version: Arch Linux
• pip-audit version (pip-audit -V): pip-audit 2.5.6
• Python version (python -V or python3 -V): Python 3.11.3
• pip version (pip -V or pip3 -V): pip 23.1.2

Additional context

Add any other context about the problem here.

[woodruffw]

Thanks for the report!

If I'm understanding correctly: the problem here is that we're "fixing" the subdependency in both files, when it should really only be fixed in one, right?

[q0w]

Yes