#
# This file is autogenerated by pip-compile with Python 3.11
# by the following command:
#
# pip-compile --allow-unsafe --generate-hashes --resolver=backtracking b.in
#
astpretty==3.0.0 \
--hash=sha256:15bfd47593667169485a1fa7938b8de9445b11057d6f2b6e214b2f70667f94b6 \
--hash=sha256:b08c95f32e5994454ea99882ff3c4a0afc8254c38998a0ed4b479dba448dc581
# via -r b.in
b.txt output now
#
# This file is autogenerated by pip-compile with Python 3.11
# by the following command:
#
# pip-compile --allow-unsafe --generate-hashes --resolver=backtracking b.in
#
astpretty==3.0.0 \
--hash=sha256:15bfd47593667169485a1fa7938b8de9445b11057d6f2b6e214b2f70667f94b6 \
--hash=sha256:b08c95f32e5994454ea99882ff3c4a0afc8254c38998a0ed4b479dba448dc581
# via -r b.in
# pip-audit: subdependency explicitly fixed
httpx==0.23.0
Expected behavior
Fixed httpx version should not be added in b.txt, only in a.txt where it was originally
Screenshots and logs
Platform information
OS name and version: Arch Linux
pip-audit version (pip-audit -V): pip-audit 2.5.6
Python version (python -V or python3 -V): Python 3.11.3
If I'm understanding correctly: the problem here is that we're "fixing" the subdependency in both files, when it should really only be fixed in one, right?
Bug description
Fix (--fix) adds a fixed dependency in files where there is no original one.
Reproduction steps
b.txt output before
b.txt output now
Expected behavior
Fixed httpx version should not be added in b.txt, only in a.txt where it was originally
Screenshots and logs
Platform information
pip-audit
version (pip-audit -V
): pip-audit 2.5.6python -V
orpython3 -V
): Python 3.11.3pip
version (pip -V
orpip3 -V
): pip 23.1.2Additional context
Add any other context about the problem here.