Cannot include git repo as a dependency

[seankfh]

Bug description

When including a git repo as a dependency pip-audit outputs RequirementSourceError: requirement textract is not pinned, URL requirements must be pinned.

I originally commented on #382 before creating this new issue here.

Reproduction steps

The line of my requirements.txt which causes the failure is the following:

textract @ git+https://github.com/seankfh/textract.git@0c80ff5727061587442fc5a1886c668d53e8d16d
    # via -r requirements.in

pip-audit currently runs through this line of pre-commit config here:

    hooks:
    -   id: pip-audit
        args: ["-r", "./projectname/requirements.txt", "--fix", "--dry-run", "--no-deps"]

Expected behavior

pip install or pip-sync both work with the resulting requirements file above, so I would expect pip-audit to run normally without failure as well.

Screenshots and logs

This is the final error message and resulting stack trace:

(env) ~/projects/projectname$ git commit -m "Update pip deps with latest merge to master and forked textract."
check yaml...............................................................Passed
black....................................................................Passed
autoflake................................................................Passed
pip-audit................................................................Failed
- hook id: pip-audit
- exit code: 1

WARNING:pip_audit._cli:--no-deps is supported, but users are encouraged to fully hash their pinned dependencies
WARNING:pip_audit._cli:Consider using a tool like `pip-compile`: https://pip-tools.readthedocs.io/en/latest/#using-hashes
Traceback (most recent call last):
  File "/home/username/.cache/pre-commit/repo0kiw5gzx/py_env-python3/bin/pip-audit", line 8, in <module>
    sys.exit(audit())
  File "/home/username/.cache/pre-commit/repo0kiw5gzx/py_env-python3/lib/python3.9/site-packages/pip_audit/_cli.py", line 432, in audit
    for (spec, vulns) in auditor.audit(source):
  File "/home/username/.cache/pre-commit/repo0kiw5gzx/py_env-python3/lib/python3.9/site-packages/pip_audit/_audit.py", line 66, in audit
    for dep, vulns in self._service.query_all(specs):
  File "/home/username/.cache/pre-commit/repo0kiw5gzx/py_env-python3/lib/python3.9/site-packages/pip_audit/_service/interface.py", line 150, in query_all
    for spec in specs:
  File "/home/username/.cache/pre-commit/repo0kiw5gzx/py_env-python3/lib/python3.9/site-packages/pip_audit/_dependency_source/requirement.py", line 114, in collect
    for _, dep in self._collect_cached_deps(filename, reqs):
  File "/home/username/.cache/pre-commit/repo0kiw5gzx/py_env-python3/lib/python3.9/site-packages/pip_audit/_dependency_source/requirement.py", line 312, in _collect_cached_deps
    for req, dep in self._collect_preresolved_deps(
  File "/home/username/.cache/pre-commit/repo0kiw5gzx/py_env-python3/lib/python3.9/site-packages/pip_audit/_dependency_source/requirement.py", line 259, in _collect_preresolved_deps
    raise RequirementSourceError(
pip_audit._dependency_source.requirement.RequirementSourceError: requirement textract is not pinned, URL requirements must be pinned with #egg=your_package_name==your_package_version: textract@ git+https://github.com/seankfh/textract.git@0c80ff5727061587442fc5a1886c668d53e8d16d from git+https://github.com/seankfh/textract.git@0c80ff5727061587442fc5a1886c668d53e8d16d (from RequirementLine(line_number=219, line='textract @ git+https://github.com/seankfh/textract.git@0c80ff5727061587442fc5a1886c668d53e8d16d', filename=PosixPath('requirements.txt')))

Platform information

• OS name and version: Debian 11
• pip-audit version (pip-audit -V): 2.5.2
• Python version (python -V or python3 -V): 3.9.2
• pip version (pip -V or pip3 -V): 23.1.2

Additional context

Since adopting pip-audit I've always used the --no-deps flag because it will hang otherwise on my Debian system. I believe it is due to #210 but I do use a virtual environment and the problem persists. There is no output when running the command and it continues without terminating.

[woodruffw]

Thanks for the report @seankfh!

Would you be able to try the latest version of pip-audit (2.5.4, not 2.5.2) and let us know if the issue persists?

In particular, we made some significant changes (#540) with the 2.5.3 release to the internals of how we handle --no-deps.

[seankfh]

This appears to work as expected @woodruffw! Here is the output:

(env) ~/projects/projectname$ pip-audit -r ./requirements.txt --fix --dry-run --no-deps
WARNING:pip_audit._cli:--no-deps is supported, but users are encouraged to fully hash their pinned dependencies
WARNING:pip_audit._cli:Consider using a tool like `pip-compile`: https://pip-tools.readthedocs.io/en/latest/#using-hashes
No known vulnerabilities found
Name     Skip Reason
-------- -----------------------------------------------------------------------
textract Dependency not found on PyPI and could not be audited: textract (1.7.0)

[woodruffw]

Excellent, thank you for confirming!