Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Pip-audit does not deduplicate identical packages in multiple requirements files
See original GitHub issueBug description
(venv) $ pip-audit -s osv -r requirements/base.txt -r requirements/test.txt
Found 2 known vulnerabilities in 2 packages
Name Version ID Fix Versions
--------------------- ------- ------------------- ------------
django-celery-results 2.2.0 GHSA-fvx8-v524-8579
Reproduction steps
- Add a vulnerable version of some package to a “base.txt” requirements file.
- Add the same package version to a separate “test.txt” requirements file.
- Audit both the “base.txt” and “test.txt” requirements files at the same time using the command above.
Expected behavior
Pip-audit sees that the package names + versions are identical across both files, and reports only one vulnerability in one package. Example:
(venv) $ pip-audit -s osv -r requirements/base.txt -r requirements/test.txt
Found 1 known vulnerability in 1 package
Name Version ID Fix Versions
--------------------- ------- ------------------- ------------
django-celery-results 2.2.0 GHSA-fvx8-v524-8579
Screenshots and logs
Similarly, if applicable and possible, re-run the command with --verbose,
and paste the logs in the code block below:
(venv) $ pip-audit -s osv -r requirements/base.txt -r requirements/test.txt --verbose
DEBUG:pip_audit._cli:parsed arguments: Namespace(local=False, requirements=[<_io.TextIOWrapper name='requirements/base.txt' mode='r' encoding='UTF-8'>, <_io.TextIOWrapper name='requirements/test.txt' mode='r' encoding='UTF-8'>], project_path=None, format=<OutputFormatChoice.Columns: 'columns'>, vulnerability_service=<VulnerabilityServiceChoice.Osv: 'osv'>, dry_run=False, strict=False, desc=<VulnerabilityDescriptionChoice.Auto: 'auto'>, cache_dir=None, progress_spinner=<ProgressSpinnerChoice.On: 'on'>, timeout=15, paths=[], verbose=True, fix=False, require_hashes=False, index_url='https://pypi.org/simple', extra_index_urls=[], skip_editable=False, output=<_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>)
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.osv.dev:443
DEBUG:urllib3.connectionpool:https://api.osv.dev:443 "POST /v1/query HTTP/1.1" 200 2
DEBUG:urllib3.connectionpool:https://api.osv.dev:443 "POST /v1/query HTTP/1.1" 200 2 repeated many times
DEBUG:urllib3.connectionpool:https://api.osv.dev:443 "POST /v1/query HTTP/1.1" 200 2
DEBUG:urllib3.connectionpool:https://api.osv.dev:443 "POST /v1/query HTTP/1.1" 200 1360
DEBUG:urllib3.connectionpool:https://api.osv.dev:443 "POST /v1/query HTTP/1.1" 200 2
DEBUG:urllib3.connectionpool:https://api.osv.dev:443 "POST /v1/query HTTP/1.1" 200 2 repeated many times
DEBUG:urllib3.connectionpool:https://api.osv.dev:443 "POST /v1/query HTTP/1.1" 200 2
DEBUG:urllib3.connectionpool:https://api.osv.dev:443 "POST /v1/query HTTP/1.1" 200 1360
DEBUG:urllib3.connectionpool:https://api.osv.dev:443 "POST /v1/query HTTP/1.1" 200 2
DEBUG:urllib3.connectionpool:https://api.osv.dev:443 "POST /v1/query HTTP/1.1" 200 2 repeated many times
DEBUG:urllib3.connectionpool:https://api.osv.dev:443 "POST /v1/query HTTP/1.1" 200 2
Found 2 known vulnerabilities in 2 packages
Name Version ID Fix Versions
--------------------- ------- ------------------- ------------
django-celery-results 2.2.0 GHSA-fvx8-v524-8579
Platform information
- OS name and version: RHEL 8.6
pip-auditversion (pip-audit -V): pip-audit 2.2.1- Python version (
python -Vorpython3 -V): Python 3.9.6 pipversion (pip -Vorpip3 -V): pip 22.0.4 from my project’s venv/lib/python3.9/site-packages/pip (python 3.9)
Issue Analytics
- State:
- Created a year ago
- Comments:8 (7 by maintainers)
Top Results From Across the Web
Duplicate package entries in compiled requirements with pip ...
In our case we had 'factory-boy' and 'factory_boy' both included in separate files of a requirements file chain. This is not true with...
Read more >Regex to detect and replace lines with duplicated capturing ...
I'm trying to write a regex to detect duplicated packages (not lines as versions can differ). My capturing group is is represented by...
Read more >Pip3 install from requirement file duplicate entries - Packaging
Hello Everyone, I am running pip 20.1.1 From reading the pip documentation it doesn't state that i am not allowed to have duplicate...
Read more >Finding and fixing duplicates in webpack with Inspectpack
Identical code sources from the same package: Duplicates. No webpack plugin deduplication. Similar code files from different packages: ...
Read more >Dustin Ingram on Twitter: "Second, pip-audit can be used to ...
Today I'm announcing the first stable release of a project that's been in the works for a few months: pip-audit: a tool for...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Hi @tetsuo-cpp, we don’t have any transitive dependencies in our files. We use pip-tools to iterate all dependencies, get a version + hash for each, and put all dependencies (including transitive ones) into a single file.
We then have multiple files with duplicated contents, one for each set of dependencies. So base dependencies only for deployment, base + local dependencies for development / debugging, base + CI dependencies for running tests, and so on. But even a file with only one dependency has this problem, like below:
Auditing the base and test files above still shows the same issue:
I tried with pip-audit==2.3.0 (what I had installed now) and with pip-audit==2.3.3 (latest).
EDIT: Maybe the issue here is that the GHSA does not specify any “Patched versions”: https://github.com/advisories/GHSA-fvx8-v524-8579
@juspence If you upgrade to v2.3.4, this should now be fixed. I’m going to go ahead and close this but please let me know if you run into any issues.