662 duplicates are not supported in requirements.txt when run with disable pip

[mathbou]

Recently, I run in the same problem described in #662. To avoid this, I propose a finer check for duplicates based on both name and specifier.

As stated in the issue, when the --disable-pip flag is used, we could consider that a full requirement resolution has been made. Knowing that, as long as specifiers matches, having duplicates is not a problem. If they don't match, we raise an error like before.

On the side, I also add a small fix for stdout/stderr reading in pip_audit/_subprocess.py. I don't know if it's specific to windows, but the fact that a size was specified, I had the process hanging indefinitely.

[woodruffw]

Thanks for the patch @mathbou! I'll review this today.

[mathbou]

It's been a while here, is there anything that prevent us to go further with this PR ? @woodruffw

[woodruffw]

It's been a while here, is there anything that prevent us to go further with this PR ? @woodruffw

Nope, I've just been delayed in reviews, sorry 😅. I'll do another pass on this today.

(Thank you very much for keeping this PR alive and conflict-free!)

[woodruffw]

Thanks @mathbou, this looks good to me!

Could you add a CHANGELOG entry describing the bugfix here? The other entries in the file should serve as a reference for our preferred entry format 🙂

[mathbou]

@woodruffw I updated the changelog, feel free to change it if it's not clear enough

[woodruffw]

From CI: this line needs coverage!

[mathbou]

This is weird, coverage complains about this line only with py3.8 and 3.9, from 3.10 and above I get 100%.

[woodruffw]

This is probably a manifestation of nedbat/coveragepy#198, which was ultimately resolved in 3.10+ via PEP 626: https://peps.python.org/pep-0626/

The two solutions here are either to drop the else: ... continue or add a coverage ignore comment.