Editable python package produces sanitized-package instead of package name

[dalepotter]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pip

Package manager version

pip-tools==6.5.1

Language version

Python 3.8.10

Manifest location and content before the Dependabot update

https://github.com/dalepotter/ebay-multilocation-item-notifier/blob/6d63a490497a33e37ca947efbacec7d5efa51263/requirements_dev.txt

dependabot.yml content

(No .dependabot.yml file in the repo)

Updated dependency

No response

What you expected to see, versus what you actually saw

Dependencies referencing the editable package should reference the package name, not sanitized-package.

i.e. this was produced:

ebaysdk==2.2.0
    # via
    #   -r requirements.txt
    #   sanitized-package

when I expected this...

ebaysdk==2.2.0
    # via
    #   -r requirements.txt
    #   ebay-multilocation-item-notifier

Example diff: https://github.com/dalepotter/ebay-multilocation-item-notifier/pull/7/files

Native package manager behavior

Running pip-compile requirements_dev.in does not yield any references to sanitized-package.

The correct package name is used - i.e. ebay-multilocation-item-notifier

Images of the diff or a link to the PR, issue, or logs

https://github.com/dalepotter/ebay-multilocation-item-notifier/pull/7/files

Smallest manifest that reproduces the issue

No response

[sfdye]

The same issue seems to be breaking our dependabot updates as well (when using editable)

updater | INFO <job_591316333> Checking if urllib3 1.25.2 needs updating
updater | INFO <job_591316333> Latest version is 1.26.14
updater | INFO <job_591316333> Handled error whilst updating urllib3: dependency_file_not_resolvable {:message=>"Cannot install sanitized-package 0.0.1 (from /home/dependabot/dependabot-updater/dependabot_tmp_dir/dependabot_tmp_dir/xxx) and sanitized-package 0.0.1 (from /home/dependabot/dependabot-updater/dependabot_tmp_dir/dependabot_tmp_dir/yyy) because these package versions have conflicting dependencies."}

[deivid-rodriguez]

Uggh. Apparently when sanitizing setup.py files, we use the random name "sanitized-package", with the expectation that we only need requirements from there and that the name is not important since it will never end up in requirement.txt files.

Turns out this is not true for editable requirements?

We should be able to parse the name as well when sanitizing setup.py files here, and preserve that in the sanitized file.

[sfdye]

Any update on this issue?

For us, the entire update failed because there are multiple editable installs and that led to version conflicts.

[deivid-rodriguez]

No, but I think the pointers given should be a start for anyone willing to contribute a solution!

[mohammadalizabihitari]

I am currently working on this issue and will keep you updated.