Currently requirements.txt parsing does not resolve the full dependency graph.

One option here may be to integrate pip-audit into this tool (though that introduces an external dependency from a different ecosystem)

Another option would be to require hashes to be specified, this ensures that the requirements file is fully resolved (because all dependencies must have hashes specified) and this dependency resolution is unnecessary.

Or use pip-compile which introduces pip-tools as a dependency instead https://github.com/jazzband/pip-tools @oliverchang

Maybe deps.dev can be used here.
@oliverchang