Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--generate-hashes should generate missing hashes for pinned packages #2962

Closed
CharString opened this issue Apr 10, 2024 · 1 comment · Fixed by #2966
Closed

--generate-hashes should generate missing hashes for pinned packages #2962

CharString opened this issue Apr 10, 2024 · 1 comment · Fixed by #2966
Assignees
@charliermarsh
Labels
bug Something isn't working

Comments

@CharString
Copy link

Since #2532 uv "preserves" hashes for pinned packages. This is correct, but if no hash is present for a pinned package, a hash should still be generated.

When "turning on --generate-hashes" for a project, I don't want to run with --update, but I do want to generate hashes for pinned versions. Because pip will expect all hashes to be present:

ERROR: Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.)

Workaround: rollback to uv 0.1.22 when preservation of hashes wasn't implemented yet.
@charliermarsh
Copy link
Member

I think that makes sense. Can change it...

@charliermarsh charliermarsh self-assigned this Apr 10, 2024
@zanieb zanieb added the bug Something isn't working label Apr 10, 2024
@charliermarsh charliermarsh mentioned this issue Apr 10, 2024
Merged
charliermarsh added a commit that referenced this issue Apr 10, 2024
@charliermarsh
Update hashes without --upgrade if not present (#2966)
d832355 
## Summary

If the user runs with `--generate-hashes`, and the lockfile doesn't
contain _any_ hashes for a package (despite being pinned), we should add
new hashes. This mirrors running `uv pip compile --generate-hashes` for
the first time with an existing lockfile.

Closes #2962.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@charliermarsh charliermarsh

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update hashes without --upgrade if not present astral-sh/uv
3 participants
@CharString @charliermarsh @zanieb