Skip to content

Hashes should get included with url dependencies in exported requirements.txt #164

New issue
New issue
Open
Open
Hashes should get included with url dependencies in exported requirements.txt#164
@blueyed

Description

@blueyed
blueyed
opened on Nov 24, 2022
  • Poetry version: Poetry (version 1.2.2)
  • Python version: 3.11.0
  • OS version and name: Arch Linux
  • pyproject.toml: -
  • I am on the latest stable Poetry version, installed using a recommended method.
  • I have searched the issues of this repo and believe that this is not a duplicate.
  • I have consulted the FAQ and blog for any relevant entries or release notes.
  • If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

Given something along django-fsm-admin = { url = "https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip" } in [tool.poetry.dependencies] it results in django-fsm-admin @ https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip ; python_version >= "3.11" and python_version < "4.0" when using poetry export -f requirements.txt -o "requirements-main.txt" --only=main.

When using pip install -r requirements-main.txt it causes the following error:

ERROR: Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.)
https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip --hash=sha256:32bc3205cec3ec83a78dd0fd0b5f02f25d81a9689493c2580c8fdb4e02c6f4ec

I think with "url" requirements hashes can and should get included in the exported file.

For reference: this was fixed in PDM in pdm-project/pdm@1a1f8748 (via pdm-project/pdm#1103), where the output in requirements.txt looks as follows:

django-fsm-admin @ https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip \
    --hash=sha256:32bc3205cec3ec83a78dd0fd0b5f02f25d81a9689493c2580c8fdb4e02c6f4ec

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions