github URL version dependency not parsed appropriately from setup.py requirement

[NickHilton]

Environment

• pip version: 20.1
• Python version: 3.8.0
• OS: macOS Catalina

Description
When installing a dependency via a github URL in a setup.py file, the version is not matched and pip does not realise it needs to update the dependency.

Expected behavior
The correct version number should be parsed from the github requirement and pip should realise it needs to upgrade the version

Note: This happens with or without the -U flag

How to Reproduce

1. Get six package from pip install six==1.13.0 as a test package
2. Then have setup.py as follows:

from setuptools import setup

setup(
    name='name',
    version='version',
    install_requires=[
        "six@git+https://github.com/benjaminp/six@1.14.0",
    ],
)

3. Run pip install -e . -U in the main directory
4. The six package is not updated when it should be

Output

Requirement already satisfied: six@ git+https://github.com/benjaminp/six@1.14.0 from git+https://github.com/benjaminp/six@1.14.0 in site-packages (from name==version) (1.13.0)

• Note the discrepancy in the version it matched (1.13.0) and the version requested (1.1.4.0)

Notes

• I tried digging in to this and found that the problem could be stemming from req = REQUIREMENT.parseString(requirement_string) here
• The parser can't find a specifier in requirement_string == "six@git+https://github.com/benjaminp/six@1.14.0"
• The output of this line is

req.name == "six"
req.url == "git+https://github.com/benjaminp/six@1.14.0"
req.specifier = ""

• This means that the SpecifierSet attached to this requirement is empty and pip subsequently does not check for a specific version when seeing if the requirement is satisified
• One problem here is that the user doesn't necessarily specify a version number in the github URL part, they can specify a branch or a release tag or a commit
  • The only way for pip to check the version is probably to go to the github URL and fetch the version number before checking it later

[uranusjr]

As you said, the Git tag does not necessarily match the version number. There is no way anyone can know the version, and thus it is not viable to parse the version out of it.

The fact pip installs a different version from your expectation is entirely another issue, unrelated to the version parsing logic. As mentioned in #988 (comment), pip is now shipping a new resolver that would resolve a correct version out of the given specifiers.

[sbidoul]

See also #7678 and linked issues.

[NickHilton]

Thanks, the fact theres no version passed through is the real issue, I wasn't really sure how best to phrase it in the title of this issue. Seems like there's two separate paths for making this work - 1 parse out a version from a requirement specified like this, maybe use the tag specified as the 'version' the user required and installed for checking againtst or 2 - Retrieve the version from the URL somehow and use that to determine if a reinstall should happen.