Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicates are not supported in requirements.txt when run with --disable-pip #662

Open
npalmius opened this issue Aug 14, 2023 · 2 comments
Open

Duplicates are not supported in requirements.txt when run with --disable-pip #662

npalmius opened this issue Aug 14, 2023 · 2 comments
Labels
bug-candidate Might be a bug. component:dep-sources Dependency sources

Comments

@npalmius
Copy link

Bug description

Duplicate entries (with extras) in a requirements file cause an error when auditing if using the --disable-pip option.

This is closely related to #564 (but I would say that it is not a duplicate).

Reproduction steps

Use the following requirements.txt file (generated by poetry):

dash==2.7.1 ; python_full_version < "3.9.0" and python_version >= "3.8"
dash[compress]==2.7.1 ; python_full_version < "3.9.0" and python_version >= "3.8"

This gives the following outputs:

Without --disable-pip:

$ pip-audit -r requirements.txt
No known vulnerabilities found

With --disable-pip:

$ pip-audit -r requirements.txt --disable-pip --no-deps
WARNING:pip_audit._cli:The --no-deps flag is redundant when used with --disable-pip
WARNING:pip_audit._cli:--no-deps is supported, but users are encouraged to fully hash their pinned dependencies
WARNING:pip_audit._cli:Consider using a tool like `pip-compile`: https://pip-tools.readthedocs.io/en/latest/#using-hashes
ERROR:pip_audit._cli:package dash has duplicate requirements: dash[compress]==2.7.1 (from RequirementLine(line_number=2, line='dash[compress]==2.7.1 ; python_full_version < "3.9.0" and python_version >= "3.8"', filename=PosixPath('requirements.txt')))

For reference, the error is the same if the requirements.txt file is generated with hashes, so this is specifically related to --disable-pip, not --no-deps:

$ pip-audit -r requirements.txt --disable-pip
ERROR:pip_audit._cli:package dash has duplicate requirements: dash[compress]==2.7.1 (from RequirementLine(line_number=290, line='dash[compress]==2.7.1 ; python_full_version < "3.9.0" and python_version >= "3.8"     --hash=sha256:0935490e3dd2d2a046291989824732901437bc0336d592eadcb93fd9c866d4c9     --hash=sha256:13cd19d19288a8fb9c2a5cd069c72643758fc2fcda68cacc72474a4ec6b7667d', filename=PosixPath('requirements.txt')))

Expected behavior

pip-audit -r requirements.txt --disable-pip should perform the same as pip-audit -r requirements.txt

Platform information

  • OS name and version:
  • pip-audit version: pip-audit 2.6.1
  • Python version: Python 3.8.17
  • pip version: pip 23.1.2
@npalmius npalmius added the bug-candidate Might be a bug. label Aug 14, 2023
@woodruffw
Copy link
Member

Thanks for the report! I or someone else should have some time to triage this in the coming days.

@woodruffw woodruffw added the component:dep-sources Dependency sources label Aug 14, 2023
@npalmius
Copy link
Author

Thanks @woodruffw - it's not urgent as it runs fine without --disable-pip, but it's a nice optimisation as poetry is managing full dependency resolution so we know that the requirements file is complete.

@mathbou mathbou mentioned this issue Mar 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug-candidate Might be a bug. component:dep-sources Dependency sources
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@woodruffw @npalmius