Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support upgrading hashes with --fix #589

Open
q0w opened this issue Apr 3, 2023 · 5 comments
Open

Support upgrading hashes with --fix #589

q0w opened this issue Apr 3, 2023 · 5 comments
Assignees
@tetsuo-cpp
Labels
bug Something isn't working

Comments

@q0w
Copy link

q0w commented Apr 3, 2023
edited

Bug description

pip-audit --fix does not update package hashes

Reproduction steps

echo "redis==4.4.3" > requirements.in
pip-compile -q --allow-unsafe --generate-hashes --resolver=backtracking --strip-extras
pip-audit -r requirements.txt --require-hashes --no-deps --fix

Expected behavior

pip-audit --fix updates not only package versions but also package hashes.

Screenshots and logs

before

#
# This file is autogenerated by pip-compile with Python 3.10
# by the following command:
#
#    pip-compile --allow-unsafe --generate-hashes --resolver=backtracking --strip-extras
#
async-timeout==4.0.2 \
    --hash=sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15 \
    --hash=sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c
    # via redis
redis==4.4.3 \
    --hash=sha256:9ba159120f909198e8a53053b0fb2e1593decfe1404d17589c7039e186489d48 \
    --hash=sha256:ff1345ad81bfafc41374b7089b5a6d37d862a4ce101c139e5675f31cf46b5539
    # via -r requirements.in

after

#
# This file is autogenerated by pip-compile with Python 3.10
# by the following command:
#
#    pip-compile --allow-unsafe --generate-hashes --resolver=backtracking --strip-extras
#
async-timeout==4.0.2 \
    --hash=sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15 \
    --hash=sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c
# via redis
redis==4.4.4 \
    --hash=sha256:9ba159120f909198e8a53053b0fb2e1593decfe1404d17589c7039e186489d48 \
    --hash=sha256:ff1345ad81bfafc41374b7089b5a6d37d862a4ce101c139e5675f31cf46b5539
# via -r requirements.in

Platform information

  • OS name and version: Arch Linux
  • pip-audit version (pip-audit -V): pip-audit 2.5.4
  • Python version (python -V or python3 -V): Python 3.10.10
  • pip version (pip -V or pip3 -V): pip 23.0.1

Additional context
@q0w q0w added the enhancement New feature or request label Apr 3, 2023
@woodruffw
Copy link
Member

Thanks for the report @q0w -- like #564, this sounds like a bug, so we'd appreciate it if you'd use the bug template.

@woodruffw woodruffw added bug-candidate Might be a bug. and removed enhancement New feature or request labels Apr 3, 2023
@q0w
Copy link
Author

q0w commented Apr 4, 2023

Updated

@woodruffw
Copy link
Member

Thanks! Assigning @tetsuo-cpp for triage.

@tetsuo-cpp tetsuo-cpp added bug Something isn't working and removed bug-candidate Might be a bug. labels Apr 5, 2023
@tetsuo-cpp
Copy link
Contributor

Thanks for reporting this @q0w! We should definitely support updating hashes with --fix.

@tetsuo-cpp
Copy link
Contributor

@di We discussed this issue briefly yesterday. I can confirm that we've never supported this before so this isn't a 2.5.x regression. I think it's still worth making this one a priority though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tetsuo-cpp tetsuo-cpp

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@woodruffw @tetsuo-cpp @q0w