search

pypa / pip-audit

Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them
https://pypi.org/project/pip-audit/
Apache License 2.0
964 stars 63 forks source link

662 duplicates are not supported in requirements.txt when run with disable pip #749

Open mathbou opened 6 months ago

mathbou commented 6 months ago

Recently, I run in the same problem described in #662. To avoid this, I propose a finer check for duplicates based on both name and specifier.

As stated in the issue, when the --disable-pip flag is used, we could consider that a full requirement resolution has been made. Knowing that, as long as specifiers matches, having duplicates is not a problem. If they don't match, we raise an error like before.

On the side, I also add a small fix for stdout/stderr reading in pip_audit/_subprocess.py. I don't know if it's specific to windows, but the fact that a size was specified, I had the process hanging indefinitely.

woodruffw commented 6 months ago

Thanks for the patch @mathbou! I'll review this today.

mathbou commented 1 month ago

It's been a while here, is there anything that prevent us to go further with this PR ? @woodruffw

woodruffw commented 1 month ago

It's been a while here, is there anything that prevent us to go further with this PR ? @woodruffw

Nope, I've just been delayed in reviews, sorry 😅. I'll do another pass on this today.

(Thank you very much for keeping this PR alive and conflict-free!)

mathbou commented 1 month ago

@woodruffw I updated the changelog, feel free to change it if it's not clear enough