Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Poetry 1.1.8 does not include the security fix for mismatching package hashes

See original GitHub issue

Hello, it appears to me that the latest Poetry release (1.1.8) does not contain this important security fix that makes Poetry actually check the hashes of downloaded files against the hashes in poetry.lock.

I tried to alter the hashes in my poetry.lock and reinstall one package on Poetry 1.1.8, and it did not complain. Also, it’s evident that this commit is not present in the chooser.py file in the release-1.1.8 branch, but it is present in the master version of the file.

It looks like some weird Git merging issue. Can we make sure this security fix gets included ASAP in the next release? Thank you 🙏🏼

Issue Analytics

State:
Created 2 years ago
Reactions:22
Comments:7 (1 by maintainers)

Top GitHub Comments

6reactions

dougncommented, Sep 19, 2021

Granted, now I get this error: • Installing auth-client (1.6.0): Failed

AttributeError

‘Link’ object has no attribute ‘name’

at ~/.pyenv/versions/3.7.9/lib/python3.7/site-packages/poetry/installation/executor.py:620 in _download_link 616│ ).hash() 617│ ) 618│ if archive_hash not in {f[“hash”] for f in package.files}: 619│ raise RuntimeError( → 620│ “Invalid hash for {} using archive {}”.format(package, archive.name) • Installing auth-client (1.6.0): Failed

AttributeError

‘Link’ object has no attribute ‘name’

WHY exactly auth-client, and another internal to my company package are failing the hash check is a different and scary question. This is on a fresh clean install with no lock file.

The hash being calculated here is sha256, but the one in the lock file is md5?

                "sha256:"
                + FileDependency(
                    package.name,
                    Path(archive.path) if isinstance(archive, Link) else archive,
                ).hash()

               auth-client = [
    {file = "auth-client-1.6.0.tar.gz", hash = "md5:8d31d21501d5c9636dabc81a170c8ce2"},
    {file = "auth_client-1.6.0-py3-none-any.whl", hash = "md5:5f48300ec0964ef5d72436647c6b4a8f"},
]

3reactions

pietrodncommented, Sep 18, 2021

It is fixed in 1.1.9, I just checked that poetry install correctly detects a corrupt hash. Thanks!

Top Results From Across the Web

Python poetry install failure - invalid hashes - Stack Overflow

I ctrl-C 'd during a poetry install , which caused one of the cached wheels to partially download and have a hash that...

Commands | Documentation | Poetry - Python dependency ...

This command will help you create a pyproject.toml file interactively by prompting you to provide basic information about your package.

poetry-dynamic-versioning - PyPI

Dynamic versioning plugin for Poetry. This is a Python 3.7+ plugin for Poetry 1.2.0+ and Poetry Core 1.0.0+ to enable dynamic versioning based...

Should You Use Upper Bound Version Constraints?

To be clear, Poetry doesn't force version pinning on you, but it does push you really, really hard to always version cap, and...

Third-party dependencies - Pants build

poetry_requirements () target generator parses the Poetry section in ... python_sources( name="lib", dependencies=[ # We don't have an import statement for ...