Audit reports package using old dependency

[max246]

Thank you for reporting a potential bug in pip-audit! Please read the next parts of this template carefully:

IMPORTANT: Please do not report auditing errors (false positives or negatives) to this repository. Instead, please report them to pypa/advisory-database.

IMPORTANT: Please fill out every section below. Bug reports with missing information will be
given a lower priority or closed outright.

Please comment out or remove this line and everything above it from your report.

Bug description

Running pip-audit on my requuirements.txt which include the package construct==2.10.68 is throwing an error saying setuptools is too old.
Once I put fix the issue by setting setuptools==65.6.3 , pip-audit still flag the package to use a old version.

Reproduction steps

Run pip-audit on the file and always returns the warning

Expected behavior

Once the package is set to the correct version, shouldnt warn anymore

Screenshots and logs

DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/construct" in the cache
DEBUG:cachecontrol.controller:Returning cached permanent redirect response (ignoring date and etag information)
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/construct/" in the cache
DEBUG:cachecontrol.controller:Current age based on date: 332
DEBUG:cachecontrol.controller:Freshness lifetime from max-age: 600
DEBUG:cachecontrol.controller:The response is "fresh", returning cached response
DEBUG:cachecontrol.controller:600 > 332
DEBUG:cachecontrol.controller:Looking up "https://files.pythonhosted.org/packages/e0/b7/a4a032e94bcfdff481f2e6fecd472794d9da09f474a2185ed33b2c7cad64/construct-2.10.68.tar.gz" in the cache
DEBUG:cachecontrol.controller:Current age based on date: 774072
DEBUG:cachecontrol.controller:Ignoring unknown cache-control directive: immutable
DEBUG:cachecontrol.controller:Freshness lifetime from max-age: 365000000
DEBUG:cachecontrol.controller:The response is "fresh", returning cached response
DEBUG:cachecontrol.controller:365000000 > 774072
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/construct" in the cache
DEBUG:cachecontrol.controller:Returning cached permanent redirect response (ignoring date and etag information)
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/construct/" in the cache
DEBUG:cachecontrol.controller:Current age based on date: 337
DEBUG:cachecontrol.controller:Freshness lifetime from max-age: 600
DEBUG:cachecontrol.controller:The response is "fresh", returning cached response
DEBUG:cachecontrol.controller:600 > 337
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/pip" in the cache
DEBUG:cachecontrol.controller:Returning cached permanent redirect response (ignoring date and etag information)
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/pip/" in the cache
WARNING:cachecontrol.controller:Cache entry deserialization failed, entry ignored
DEBUG:urllib3.connectionpool:https://pypi.org:443 "GET /simple/pip/ HTTP/1.1" 200 20574
DEBUG:cachecontrol.controller:Updating cache with response from "https://pypi.org/simple/pip/"
DEBUG:cachecontrol.controller:etag object cached for 1209600 seconds
DEBUG:cachecontrol.controller:Caching due to etag
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/setuptools" in the cache
DEBUG:cachecontrol.controller:Returning cached permanent redirect response (ignoring date and etag information)
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/setuptools/" in the cache
DEBUG:cachecontrol.controller:Current age based on date: 363
DEBUG:cachecontrol.controller:Freshness lifetime from max-age: 600
DEBUG:cachecontrol.controller:The response is "fresh", returning cached response
DEBUG:cachecontrol.controller:600 > 363
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/wheel" in the cache
DEBUG:cachecontrol.controller:Returning cached permanent redirect response (ignoring date and etag information)
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/simple/wheel/" in the cache
WARNING:cachecontrol.controller:Cache entry deserialization failed, entry ignored
DEBUG:urllib3.connectionpool:https://pypi.org:443 "GET /simple/wheel/ HTTP/1.1" 200 11626
DEBUG:cachecontrol.controller:Updating cache with response from "https://pypi.org/simple/wheel/"
DEBUG:cachecontrol.controller:etag object cached for 1209600 seconds
DEBUG:cachecontrol.controller:Caching due to etag
DEBUG:cachecontrol.controller:Looking up "https://files.pythonhosted.org/packages/09/bd/2410905c76ee14c62baf69e3f4aa780226c1bbfc9485731ad018e35b0cb5/pip-22.3.1-py3-none-any.whl" in the cache
DEBUG:cachecontrol.controller:Current age based on date: 774125
DEBUG:cachecontrol.controller:Ignoring unknown cache-control directive: immutable
DEBUG:cachecontrol.controller:Freshness lifetime from max-age: 365000000
DEBUG:cachecontrol.controller:The response is "fresh", returning cached response
DEBUG:cachecontrol.controller:365000000 > 774125
DEBUG:cachecontrol.controller:Looking up "https://files.pythonhosted.org/packages/4e/2e/f8e006dbaaa46ed1e762c287585b92476deb8d3ccb79b720ed3b86bc6113/setuptools-58.1.0-py3-none-any.whl" in the cache
DEBUG:cachecontrol.controller:Current age based on date: 352
DEBUG:cachecontrol.controller:Ignoring unknown cache-control directive: immutable
DEBUG:cachecontrol.controller:Freshness lifetime from max-age: 365000000
DEBUG:cachecontrol.controller:The response is "fresh", returning cached response
DEBUG:cachecontrol.controller:365000000 > 352
DEBUG:cachecontrol.controller:Looking up "https://files.pythonhosted.org/packages/bd/7c/d38a0b30ce22fc26ed7dbc087c6d00851fb3395e9d0dac40bec1f905030c/wheel-0.38.4-py3-none-any.whl" in the cache
DEBUG:cachecontrol.controller:Current age based on date: 774210
DEBUG:cachecontrol.controller:Ignoring unknown cache-control directive: immutable
DEBUG:cachecontrol.controller:Freshness lifetime from max-age: 365000000
DEBUG:cachecontrol.controller:The response is "fresh", returning cached response
DEBUG:cachecontrol.controller:365000000 > 774210
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/pypi/construct/2.10.68/json" in the cache
DEBUG:cachecontrol.controller:Current age based on date: 332
DEBUG:cachecontrol.controller:Freshness lifetime from max-age: 900
DEBUG:cachecontrol.controller:The response is "fresh", returning cached response
DEBUG:cachecontrol.controller:900 > 332
DEBUG:pip_audit._cli:Auditing construct (2.10.68)```

## Platform information

* OS name and version:
* `pip-audit` version (`pip-audit -V`):  2.4.11
* Python version (`python -V` or `python3 -V`): 3.9.16
* `pip` version (`pip -V` or `pip3 -V`):

## Additional context

[tetsuo-cpp]

Thanks for reporting this @max246.

I suspect that #454 should fix this. This fix has already been merged in and we should have a release in the next day or so. Either @woodruffw or I will let you know when that has happened.

[max246]

Thanks for reporting this @max246.

I suspect that #454 should fix this. This fix has already been merged in and we should have a release in the next day or so. Either @woodruffw or I will let you know when that has happened.

Thanks! Just to add extra details how to replicated this error with docker:

• Pull the image: docker pull python:3.9-bullseye
• create a requirements file with: construct==2.10.68
• run pip-audit

[max246]

Issue has been resolved with 2.4.12! Thank you

[woodruffw]

Thanks for confirming!