Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
requires-hashes error lists different version of requested package
See original GitHub issueI have a single version pin in a Pipfile. For reference:
- pipenv 3.5.3
- pipsi 0.9
- python 2.7.5
- CentOS 7.3.1611
When I try to pipenv install this environment from scratch, I get a requires-hashes error that lists the most recent patch version of the package I requested instead of the version I pinned in my Pipfile. Strangely enough, I feel like this was all working this past weekend.
Here are my steps to reproduce:
$ pwd
/home/sysext/tmp/requires_hashes
$ ls
Pipfile
$ cat Pipfile
# vi: filetype=toml:
[[source]]
url = "https://pypi.python.org/simple"
verify_ssl = true
[packages]
salt-ssh = "==2016.11.2"
$ command -v pipenv
/home/sysext/.local/bin/pipenv
$ pipenv --version
pipenv, version 3.5.3
$ pipenv install
Creating a virtualenv for this project...
⠋New python executable in /home/sysext/tmp/requires_hashes/.venv/bin/python2
Also creating executable in /home/sysext/tmp/requires_hashes/.venv/bin/python
Installing setuptools, pip, wheel...done.
Virtualenv location: /home/sysext/tmp/requires_hashes/.venv
No package provided, installing all dependencies.
Pipfile found at /home/sysext/tmp/requires_hashes/Pipfile. Considering this to be the project home.
Pipfile.lock not found, creating...
Locking [dev-packages] dependencies...
⠸Locking [packages] dependencies...
⠸Updated Pipfile.lock!
Installing dependencies from Pipfile.lock...
An error occured while installing!
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
salt-ssh from https://pypi.python.org/packages/79/83/9030f606cbb7aa527404b5fd99e7505b4589ebd4d5dcbd9433583673f891/salt-ssh-2016.11.3.tar.gz#md5=27907eb91d978a4bcf99d2ce2b6d591d (from -r /tmp/tmpsCOARp-requirements.txt (line 9))
You can supply the --ignore-hashes option to 'pipenv install' to bypass this feature.
$
As you can see, the Pipfile contains:
salt-ssh = "==2016.11.2"
but the error output lists:
salt-ssh from https://.../salt-ssh-2016.11.3.tar.gz#...
If I check the generated Pipfile.lock, it also contains the version I was trying to pin (2016.11.2):
$ cat Pipfile.lock
{
"_meta": {
"hash": {
"sha256": "33f384c820733a52270ef7f68800070cce5b895371b45d51d7ebfc0d1cf4efa3"
},
"requires": {},
"sources": [
{
"url": "https://pypi.python.org/simple",
"verify_ssl": true
}
]
},
"default": {
"Jinja2": {
"hash": "sha256:a7b7438120dbe76a8e735ef7eba6048eaf4e0b7dbc530e100812f8ec462a4d50",
"version": "==2.9.5"
},
"MarkupSafe": {
"hash": "sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665",
"version": "==1.0"
},
"PyYAML": {
"hash": "sha256:592766c6303207a20efc445587778322d7f73b161bd994f227adaa341ba212ab",
"version": "==3.12"
},
"backports.ssl_match_hostname": {
"hash": "sha256:502ad98707319f4a51fa2ca1c677bd659008d27ded9f6380c79e8932e38dcdf2",
"version": "==3.5.0.1"
},
"backports_abc": {
"hash": "sha256:52089f97fe7a9aa0d3277b220c1d730a85aefd64e1b2664696fe35317c5470a7",
"version": "==0.5"
},
"certifi": {
"hash": "sha256:f74a224a9860fd5a2e9757230a7ea3eba82d6d46914780abc18e70c8b58d4bf8",
"version": "==2017.1.23"
},
"futures": {
"hash": "sha256:f7f16b6bf9653a918a03f1f2c2d62aac0cd64b1bc088e93ea279517f6b61120b",
"version": "==3.0.5"
},
"msgpack-python": {
"hash": "sha256:1a2b19df0f03519ec7f19f826afb935b202d8979b0856c6fb3dc28955799f886",
"version": "==0.4.8"
},
"requests": {
"hash": "sha256:1a720e8862a41aa22e339373b526f508ef0c8988baf48b84d3fc891a8e237efb",
"version": "==2.13.0"
},
"salt-ssh": "==2016.11.2",
"singledispatch": {
"hash": "sha256:833b46966687b3de7f438c761ac475213e53b306740f1abfaa86e1d1aae56aa8",
"version": "==3.4.0.3"
},
"six": {
"hash": "sha256:0ff78c403d9bccf5a425a6d31a12aa6b47f1c21ca4dc2573a7e2f32a97335eb1",
"version": "==1.10.0"
},
"tornado": {
"hash": "sha256:2898f992f898cd41eeb8d53b6df75495f2f423b6672890aadaf196ea1448edcc",
"version": "==4.4.2"
}
},
"develop": {}
}
Issue Analytics
- State:
- Created 7 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Poetry fails in CI/CD with ERROR: In --require-hashes mode ...
I am on the latest Poetry version. I have searched the issues of this repo and believe that this is not a duplicate....
Read more >python - How to check which dependency requires hashes?
What version of pip are you using? My pip always includes a list of affected packages with the error message.
Read more >How to check which dependency requires hashes?
Hashes are required in --require-hashes mode (implicitly on when a hash is specified for any package). How can I check whcih dependency requires...
Read more >Dropping support for older Python versions
This mechanism can be used to drop support for older Python versions, by amending the “Requires-Python” attribute in the package metadata. This guide...
Read more >Windows GPU testers don't have cdb.exe installed ... - Monorail
The script requires hashes that are contained in src/build/toolchain_vs2013.hash in the Chromium workspace. Unfortunately, by design these bots ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
This should be resolved in d124103. I’ll try to get a new release cut here soon. Thanks again for pointing this out @systemexitzero 😄
@nateprewitt confirmed working, thanks!