pip-audit -r requirements.txt with "-r base.txt" in txt file fails

[hugoalvarado]

Bug description

Using a requirements.txt with nested includes like "-r base.txt" the file with pip-audit generated an error:
No such file or directory: '/tmp/base.txt'

Reproduction steps

Create 2 txt files, base.txt and local.txt.

base.txt contents:

django==4.0.10

local.txt contents:

-r base.txt 

run:

pip-audit -r ./local.txt

Expected behavior

All packages from both base.txt and local.txt are checked.

Screenshots and logs

ERROR:pip_audit._virtual_env:internal pip failure: ERROR: Could not open requirements file: [Errno 2] No such file or directory: '/var/folders/p6/7fr29jj169j_25jgx524j2f80000gn/T/base.txt'

ERROR:pip_audit._cli:Failed to install packages: ['/var/folders/p6/7fr29jj169j_25jgx524j2f80000gn/T/tmpjg4piseq/bin/python', '-m', 'pip', 'install', '--index-url', 'https://pypi.org/simple/', '--dry-run', '--report', '/var/folders/p6/7fr29jj169j_25jgx524j2f80000gn/T/tmp79gy3y2f', '-r', '/var/folders/p6/7fr29jj169j_25jgx524j2f80000gn/T/tmpuzbucuum']

Platform information

• OS name and version: macos Ventura 13.2.1 (22D68)
• pip-audit version (pip-audit -V): pip-audit 2.5.2
• Python version (python -V or python3 -V): Python 3.9.14
• pip version (pip -V or pip3 -V): pip 22.0.4

[woodruffw]

Hi @hugoalvarado!

It looks like you're running pip-audit 2.5.2, when the latest version is 2.5.4. Could you please upgrade and see if you're still seeing this behavior?

In particular, 2.5.4 contains a related fix to how we handle nested requirement files:

https://github.com/pypa/pip-audit/releases/tag/v2.5.4

[hugoalvarado]

Thanks @woodruffw - looks like this has been resolved 🥳

❯ pip freeze | grep audit
pip_audit==2.5.4

❯ pip-audit -r requirements.txt
No known vulnerabilities found

[woodruffw]

Glad to hear it, and thanks again for reporting!