Restrict unused version pins in URL/VCS requirements?

What’s the problem this feature will solve?

I noticed this behavior while debugging/repro-ing https://github.com/pypa/pip-audit/issues/382: pip install -r requirements.txt will happily install a VCS or other URL dependency that contains a fragment string like this:

hypothesis @ git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#egg=hypothesis==9.9.9&subdirectory=hypothesis-python

The egg=hypothesis==9.9.9 fragment implies that hypothesis==9.9.9 is being installed from this URL, but that version specifier is actually ignored and the real version at that VCS ref (6.56.3) is installed instead.

AFAICT this version pin was never supported in the first place (https://github.com/pypa/pip/issues/5384 says that the egg fragment has never supported 508-style specs), but it’s a little surprising (as an end user) for it to silently be ignored rather than producing a warning or requirements parsing error.

Describe the solution you’d like

Ideally, pip would produce a hard error (or at least a warning) here, since the supplied version specifier is (1) ineffective and (2) indicates user confusion about what they’re asking for.

Alternative Solutions

No alternative solution is necessary, since this isn’t broken per se.

Additional context

pip-audit context: https://github.com/pypa/pip-audit/issues/382

This issue also manifests in third-party requirements-file parsers, like pip-audit and pip-requirements-parser. If this behavior is changed in pip itself, I can submit patches there as well.

Code of Conduct

• I agree to follow the PSF Code of Conduct.