pip-audit icon indicating copy to clipboard operation
pip-audit copied to clipboard

Published 20 hours ago verified publisher icon pypa

Support upgrading hashes with `--fix`

Open q0w opened this issue 2 years ago • 5 comments

Bug description

pip-audit --fix does not update package hashes

Reproduction steps

echo "redis==4.4.3" > requirements.in
pip-compile -q --allow-unsafe --generate-hashes --resolver=backtracking --strip-extras
pip-audit -r requirements.txt --require-hashes --no-deps --fix

Expected behavior

pip-audit --fix updates not only package versions but also package hashes.

Screenshots and logs

before

#
# This file is autogenerated by pip-compile with Python 3.10
# by the following command:
#
#    pip-compile --allow-unsafe --generate-hashes --resolver=backtracking --strip-extras
#
async-timeout==4.0.2 \
    --hash=sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15 \
    --hash=sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c
    # via redis
redis==4.4.3 \
    --hash=sha256:9ba159120f909198e8a53053b0fb2e1593decfe1404d17589c7039e186489d48 \
    --hash=sha256:ff1345ad81bfafc41374b7089b5a6d37d862a4ce101c139e5675f31cf46b5539
    # via -r requirements.in

after

#
# This file is autogenerated by pip-compile with Python 3.10
# by the following command:
#
#    pip-compile --allow-unsafe --generate-hashes --resolver=backtracking --strip-extras
#
async-timeout==4.0.2 \
    --hash=sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15 \
    --hash=sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c
# via redis
redis==4.4.4 \
    --hash=sha256:9ba159120f909198e8a53053b0fb2e1593decfe1404d17589c7039e186489d48 \
    --hash=sha256:ff1345ad81bfafc41374b7089b5a6d37d862a4ce101c139e5675f31cf46b5539
# via -r requirements.in

Platform information

  • OS name and version: Arch Linux
  • pip-audit version (pip-audit -V): pip-audit 2.5.4
  • Python version (python -V or python3 -V): Python 3.10.10
  • pip version (pip -V or pip3 -V): pip 23.0.1

Additional context

q0w avatar Apr 03 '23 06:04 q0w

Thanks for the report @q0w -- like #564, this sounds like a bug, so we'd appreciate it if you'd use the bug template.

woodruffw avatar Apr 03 '23 12:04 woodruffw

Updated

q0w avatar Apr 04 '23 12:04 q0w

Thanks! Assigning @tetsuo-cpp for triage.

woodruffw avatar Apr 04 '23 14:04 woodruffw

Thanks for reporting this @q0w! We should definitely support updating hashes with --fix.

tetsuo-cpp avatar Apr 05 '23 04:04 tetsuo-cpp

@di We discussed this issue briefly yesterday. I can confirm that we've never supported this before so this isn't a 2.5.x regression. I think it's still worth making this one a priority though.

tetsuo-cpp avatar Apr 05 '23 04:04 tetsuo-cpp