pypa
`--require-hashes` does not correctly handle pinned package with extras
What did you want to do?
Install this requirements.txt file with pip 21.0.1 or master in a new virtual environment.
A package is pinned to a non-latest version with an extra (here, requirements[security]) and another dependency requires this package without specifying the extra.
Output
Install fails with:
...
Collecting requests[security]==2.24.0
Using cached requests-2.24.0-py2.py3-none-any.whl (61 kB)
Collecting six==1.15.0
Using cached six-1.15.0-py2.py3-none-any.whl (10 kB)
Collecting urllib3==1.25.11
Using cached urllib3-1.25.11-py2.py3-none-any.whl (127 kB)
Collecting requests<3
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
requests<3 from https://files.pythonhosted.org/packages/29/c1/24814557f1d22c56d50280771a17307e6bf87b70727d975fd6b2ce6b014a/requests-2.25.1-py2.py3-none-any.whl#sha256=c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e (from requests-extra==1.0.0b3->-r requirements.txt (line 116))
The resolver does not recognise that requests[security]==2.24.0 fulfils requests<3, and tries to collect latest requests. This fails as it is has no pinned hash.
Additional information
Installation succeeds with --use-deprecated=legacy-resolver.
If the requirements file has no hashes, installation succeeds with the new resolver: Collecting requests<3 resolves to latest requests (2.25.1) in the install output, but the pinned version (2.24.0) is what ends up installed.
If all packages are already installed in the environment, pip install succeeds (with Requirement already satisfied) even with the new resolver.
One workaround for this is to use --no-deps, which is a good idea by itself anyway (See the second warning here).
I think this might be the same issue I have encountered with pinned and hash-checking botframework-connector requirements:
Broken requirements file: requirements.txt
Steps to reproduce:
pip install -U pip pip-tools
pip -V
> pip 21.0.1
echo "botframework-connector==4.12.0" > requirements.in
pip-compile requirements.in --generate-hashes
pip install -r requirements.txt
Actual result:
Collecting adal==1.2.1
Using cached adal-1.2.1-py2.py3-none-any.whl (52 kB)
Collecting botbuilder-schema==4.12.0
Using cached botbuilder_schema-4.12.0-py2.py3-none-any.whl (34 kB)
Collecting botframework-connector==4.12.0
Using cached botframework_connector-4.12.0-py2.py3-none-any.whl (67 kB)
Collecting certifi==2020.12.5
Using cached certifi-2020.12.5-py2.py3-none-any.whl (147 kB)
Collecting cffi==1.14.5
Using cached cffi-1.14.5-cp38-cp38-manylinux1_x86_64.whl (411 kB)
Collecting chardet==3.0.4
Using cached chardet-3.0.4-py2.py3-none-any.whl (133 kB)
Collecting cryptography==3.3.2
Using cached cryptography-3.3.2-cp36-abi3-manylinux2010_x86_64.whl (2.6 MB)
Collecting idna==2.10
Using cached idna-2.10-py2.py3-none-any.whl (58 kB)
Collecting isodate==0.6.0
Using cached isodate-0.6.0-py2.py3-none-any.whl (45 kB)
Collecting msal==1.6.0
Using cached msal-1.6.0-py2.py3-none-any.whl (50 kB)
Collecting msrest==0.6.10
Using cached msrest-0.6.10-py2.py3-none-any.whl (82 kB)
Collecting oauthlib==3.1.0
Using cached oauthlib-3.1.0-py2.py3-none-any.whl (147 kB)
Collecting pycparser==2.20
Using cached pycparser-2.20-py2.py3-none-any.whl (112 kB)
Collecting pyjwt[crypto]==1.5.3
Using cached PyJWT-1.5.3-py2.py3-none-any.whl (17 kB)
Collecting python-dateutil==2.8.1
Using cached python_dateutil-2.8.1-py2.py3-none-any.whl (227 kB)
Collecting requests-oauthlib==1.3.0
Using cached requests_oauthlib-1.3.0-py2.py3-none-any.whl (23 kB)
Collecting requests==2.23.0
Using cached requests-2.23.0-py2.py3-none-any.whl (58 kB)
Collecting six==1.15.0
Using cached six-1.15.0-py2.py3-none-any.whl (10 kB)
Collecting urllib3==1.25.11
Using cached urllib3-1.25.11-py2.py3-none-any.whl (127 kB)
Collecting PyJWT>=1.0.0
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
PyJWT>=1.0.0 from https://files.pythonhosted.org/packages/b4/9b/8850f99027ed029af6828199cc87179eaccbbf1f9e6e373e7f0177d32dad/PyJWT-2.0.1-py3-none-any.whl#sha256=b70b15f89dc69b993d8a8d32c299032d5355c82f9b5b7e851d1a6d706dffe847 (from adal==1.2.1->-r requirements.txt (line 7))
Workaround
Either install pip <= 20.3.1, use tonybajan --use-deprecated=legacy-resolver option or use maljub01 --no-deps option:
pip install -r requirements.txt --use-deprecated=legacy-resolver
> Successfully installed adal-1.2.1 botbuilder-schema-4.12.0 botframework-connector-4.12.0 certifi-2020.12.5 cffi-1.14.5 chardet-3.0.4 cryptography-3.3.2 idna-2.10 isodate-0.6.0 msal-1.6.0 msrest-0.6.10 oauthlib-3.1.0 pycparser-2.20 pyjwt-1.5.3 python-dateutil-2.8.1 requests-2.23.0 requests-oauthlib-1.3.0 six-1.15.0 urllib3-1.25.11
pip install -r requirements.txt --no-deps
> Successfully installed adal-1.2.1 botbuilder-schema-4.12.0 botframework-connector-4.12.0 certifi-2020.12.5 cffi-1.14.5 chardet-3.0.4 cryptography-3.3.2 idna-2.10 isodate-0.6.0 msal-1.6.0 msrest-0.6.10 oauthlib-3.1.0 pycparser-2.20 pyjwt-1.5.3 python-dateutil-2.8.1 requests-2.23.0 requests-oauthlib-1.3.0 six-1.15.0 urllib3-1.25.11
Edit: I thought I had posted this as off-topic but after looking at the requirements.txt generated by pip-tools I see that it is specifying extras: pyjwt[crypto]
If I understand correctly, #9775 did not fix this, but made it possible to fix this?
More accurately, the basis of #9775 (#9771) makes it possible to fix this.
Thanks @uranusjr. This is currently blocking CI and deployment for pypa/warehouse, is there any workaround? If not, could you explain at a high level what I'd need to do to fix this issue in pip?
I believe it’s possible to work around this by manually “unpacking” extras, e.g. add a line to also provide hashes to requests in addition to requests[security] (using the example provided by OP).
I tried to create a failing test for this:
def test_new_resolver_hash_with_extras(script):
parent_path = create_basic_wheel_for_package(
script, "parent", "0.1.0", depends=["child"]
)
parent_hash = hashlib.sha256(parent_path.read_bytes()).hexdigest()
child_path = create_basic_wheel_for_package(
script, "child", "0.1.0", extras={"extra": ["extra"]}
)
child_hash = hashlib.sha256(child_path.read_bytes()).hexdigest()
extra_path = create_basic_wheel_for_package(script, "extra", "0.1.0")
extra_hash = hashlib.sha256(extra_path.read_bytes()).hexdigest()
requirements_txt = script.scratch_path / "requirements.txt"
requirements_txt.write_text(
"""
child[extra]==0.1.0 --hash=sha256:{child_hash}
parent==0.1.0 --hash=sha256:{parent_hash}
extra==0.1.0 --hash=sha256:{extra_hash}
""".format(
child_hash=child_hash,
parent_hash=parent_hash,
extra_hash=extra_hash,
),
)
script.pip(
"install",
"--no-cache-dir",
"--no-index",
"--find-links", script.scratch_path,
"--requirement", requirements_txt,
)
assert_installed(script, parent="0.1.0", child="0.1.0", extra="0.1.0")
but it's passing on the current main branch at e6414d6db6db37951988f6f2b11ec530ed0b191d.
Is it possible that this has already been fixed, or is my test not properly exercising this bug?
I think the failure case should be like this:
child==0.1.0 --hash=sha256:{child_hash}
parent==0.1.0 --hash=sha256:{parent_hash}
extra==0.1.0 --hash=sha256:{extra_hash}
and change parent to depend on child[extra].
That still passes, but after looking more closely I was able to figure out what will cause it to fail:
- two parent dependencies
- one with a dependency on a child with an extra
- one with a dependency on a child without an extra
- a newer version of the child dependency available than is pinned
It seems like what's happening is that pip is not considering the child dependency with the extra to be equivalent to the child dependency without the extra, and attempting to install the latest version of the child dependency, and not using the existing pinned/hashed requirement when doing this, which causes the hash checking to fail.
I made a draft PR with the failing test here: https://github.com/pypa/pip/pull/9995, but I don't have time at the moment to continue working on it to fix the issue.
@di I have confirmed your theory by specifying another dependency without the extras package and everything installs
pyjwt[crypto]==1.5.3 \
--hash=sha256:500be75b17a63f70072416843dc80c8821109030be824f4d14758f114978bae7 \
--hash=sha256:a4e5f1441e3ca7b382fd0c0b416777ced1f97c64ef0c33bfa39daf38505cfd2f
+pyjwt==1.5.3 \
+ --hash=sha256:500be75b17a63f70072416843dc80c8821109030be824f4d14758f114978bae7 \
+ --hash=sha256:a4e5f1441e3ca7b382fd0c0b416777ced1f97c64ef0c33bfa39daf38505cfd2f
@cas-- It may be preferable to update all the dependencies that the extra includes to the latest versions instead. By removing the extra you are possibly removing sub-dependencies your application (or a dependency of your application) needs.
@di Yeah all dependencies are specified with pip-tools as demonstrated in my previous comment.
In my example it seems that child dependency pyjwt is specified with extras in msal and without in adal.
Ping @di will you have time to work on this in July, or should we move this to the 21.3 milestone (October)?
Kicking the can down the road for this, since no one has tackled this yet.
If you're interested in funding work to get this fixed, I encourage you to reach out to the PSF's Packaging-WG.
Was this fixed? I just experienced this and noticed that upgrading from 21.1.1 to 21.3.1 seems to have fixed it.
I'm able to reproduce this bug up to 21.1.3 and it's fixed for me as of 21.2.
@pradyunsg Done, looks like this indeed got fixed and that PR can add a test to ensure it remains fixed!
Git says 73edd74c569bc3e1738aaf4ac99ac972a8ee1fb5 is the first bad commit. (git bisect only works for something goes from “good” to “bad”, so in this context “bad” means “the bug was fixed”.)
So this was actually fixed in 21.2 (in July) unintentionally, and I suspect the underlying issue (hash is not picked up correctly by extra-ed packages) isn’t exactly fixed. The commit only changes behaviour for user-requested packages (i.e. those you pip install directly). So it’s still possible if we change the test to pip install one package that requires all the packages (instead of installing the packages directly), and specify hashes in a constraints file instead. But I’m not really bothered to find out; we can fix that when (if) someone actually hits an issue.
This is not fixed if you use the steps that I outlined previously using pip 21.3.1
@pradyunsg The OP's requirements file also still fails so I'm not sure why this is being closed as fixed :confused:
Reopening this, since we've fixed a subset of the cases that we'd hit this issue; not all of them.
Here's another example of this failing:
requirements.in:
alembic
sqlalchemy[asyncio]
requirements.txt:
#
# This file is autogenerated by pip-compile with python 3.8
# To update, run:
#
# pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt requirements.in
#
alembic==1.7.5 \
--hash=sha256:7c328694a2e68f03ee971e63c3bd885846470373a5b532cf2c9f1601c413b153 \
--hash=sha256:a9dde941534e3d7573d9644e8ea62a2953541e27bc1793e166f60b777ae098b4
# via -r requirements.in
greenlet==1.1.2 \
--hash=sha256:00e44c8afdbe5467e4f7b5851be223be68adb4272f44696ee71fe46b7036a711 \
--hash=sha256:013d61294b6cd8fe3242932c1c5e36e5d1db2c8afb58606c5a67efce62c1f5fd \
--hash=sha256:049fe7579230e44daef03a259faa24511d10ebfa44f69411d99e6a184fe68073 \
--hash=sha256:14d4f3cd4e8b524ae9b8aa567858beed70c392fdec26dbdb0a8a418392e71708 \
--hash=sha256:166eac03e48784a6a6e0e5f041cfebb1ab400b394db188c48b3a84737f505b67 \
--hash=sha256:17ff94e7a83aa8671a25bf5b59326ec26da379ace2ebc4411d690d80a7fbcf23 \
--hash=sha256:1e12bdc622676ce47ae9abbf455c189e442afdde8818d9da983085df6312e7a1 \
--hash=sha256:21915eb821a6b3d9d8eefdaf57d6c345b970ad722f856cd71739493ce003ad08 \
--hash=sha256:288c6a76705dc54fba69fbcb59904ae4ad768b4c768839b8ca5fdadec6dd8cfd \
--hash=sha256:32ca72bbc673adbcfecb935bb3fb1b74e663d10a4b241aaa2f5a75fe1d1f90aa \
--hash=sha256:356b3576ad078c89a6107caa9c50cc14e98e3a6c4874a37c3e0273e4baf33de8 \
--hash=sha256:40b951f601af999a8bf2ce8c71e8aaa4e8c6f78ff8afae7b808aae2dc50d4c40 \
--hash=sha256:572e1787d1460da79590bf44304abbc0a2da944ea64ec549188fa84d89bba7ab \
--hash=sha256:58df5c2a0e293bf665a51f8a100d3e9956febfbf1d9aaf8c0677cf70218910c6 \
--hash=sha256:64e6175c2e53195278d7388c454e0b30997573f3f4bd63697f88d855f7a6a1fc \
--hash=sha256:7227b47e73dedaa513cdebb98469705ef0d66eb5a1250144468e9c3097d6b59b \
--hash=sha256:7418b6bfc7fe3331541b84bb2141c9baf1ec7132a7ecd9f375912eca810e714e \
--hash=sha256:7cbd7574ce8e138bda9df4efc6bf2ab8572c9aff640d8ecfece1b006b68da963 \
--hash=sha256:7ff61ff178250f9bb3cd89752df0f1dd0e27316a8bd1465351652b1b4a4cdfd3 \
--hash=sha256:833e1551925ed51e6b44c800e71e77dacd7e49181fdc9ac9a0bf3714d515785d \
--hash=sha256:8639cadfda96737427330a094476d4c7a56ac03de7265622fcf4cfe57c8ae18d \
--hash=sha256:8c790abda465726cfb8bb08bd4ca9a5d0a7bd77c7ac1ca1b839ad823b948ea28 \
--hash=sha256:8d2f1fb53a421b410751887eb4ff21386d119ef9cde3797bf5e7ed49fb51a3b3 \
--hash=sha256:903bbd302a2378f984aef528f76d4c9b1748f318fe1294961c072bdc7f2ffa3e \
--hash=sha256:93f81b134a165cc17123626ab8da2e30c0455441d4ab5576eed73a64c025b25c \
--hash=sha256:95e69877983ea39b7303570fa6760f81a3eec23d0e3ab2021b7144b94d06202d \
--hash=sha256:9633b3034d3d901f0a46b7939f8c4d64427dfba6bbc5a36b1a67364cf148a1b0 \
--hash=sha256:97e5306482182170ade15c4b0d8386ded995a07d7cc2ca8f27958d34d6736497 \
--hash=sha256:9f3cba480d3deb69f6ee2c1825060177a22c7826431458c697df88e6aeb3caee \
--hash=sha256:aa5b467f15e78b82257319aebc78dd2915e4c1436c3c0d1ad6f53e47ba6e2713 \
--hash=sha256:abb7a75ed8b968f3061327c433a0fbd17b729947b400747c334a9c29a9af6c58 \
--hash=sha256:aec52725173bd3a7b56fe91bc56eccb26fbdff1386ef123abb63c84c5b43b63a \
--hash=sha256:b11548073a2213d950c3f671aa88e6f83cda6e2fb97a8b6317b1b5b33d850e06 \
--hash=sha256:b1692f7d6bc45e3200844be0dba153612103db241691088626a33ff1f24a0d88 \
--hash=sha256:b92e29e58bef6d9cfd340c72b04d74c4b4e9f70c9fa7c78b674d1fec18896dc4 \
--hash=sha256:be5f425ff1f5f4b3c1e33ad64ab994eed12fc284a6ea71c5243fd564502ecbe5 \
--hash=sha256:dd0b1e9e891f69e7675ba5c92e28b90eaa045f6ab134ffe70b52e948aa175b3c \
--hash=sha256:e30f5ea4ae2346e62cedde8794a56858a67b878dd79f7df76a0767e356b1744a \
--hash=sha256:e6a36bb9474218c7a5b27ae476035497a6990e21d04c279884eb10d9b290f1b1 \
--hash=sha256:e859fcb4cbe93504ea18008d1df98dee4f7766db66c435e4882ab35cf70cac43 \
--hash=sha256:eb6ea6da4c787111adf40f697b4e58732ee0942b5d3bd8f435277643329ba627 \
--hash=sha256:ec8c433b3ab0419100bd45b47c9c8551248a5aee30ca5e9d399a0b57ac04651b \
--hash=sha256:eff9d20417ff9dcb0d25e2defc2574d10b491bf2e693b4e491914738b7908168 \
--hash=sha256:f0214eb2a23b85528310dad848ad2ac58e735612929c8072f6093f3585fd342d \
--hash=sha256:f276df9830dba7a333544bd41070e8175762a7ac20350786b322b714b0e654f5 \
--hash=sha256:f3acda1924472472ddd60c29e5b9db0cec629fbe3c5c5accb74d6d6d14773478 \
--hash=sha256:f70a9e237bb792c7cc7e44c531fd48f5897961701cdaa06cf22fc14965c496cf \
--hash=sha256:f9d29ca8a77117315101425ec7ec2a47a22ccf59f5593378fc4077ac5b754fce \
--hash=sha256:fa877ca7f6b48054f847b61d6fa7bed5cebb663ebc55e018fda12db09dcc664c \
--hash=sha256:fdcec0b8399108577ec290f55551d926d9a1fa6cad45882093a7a07ac5ec147b
# via sqlalchemy
importlib-metadata==4.8.2 \
--hash=sha256:53ccfd5c134223e497627b9815d5030edf77d2ed573922f7a0b8f8bb81a1c100 \
--hash=sha256:75bdec14c397f528724c1bfd9709d660b33a4d2e77387a3358f20b848bb5e5fb
# via alembic
importlib-resources==5.4.0 \
--hash=sha256:33a95faed5fc19b4bc16b29a6eeae248a3fe69dd55d4d229d2b480e23eeaad45 \
--hash=sha256:d756e2f85dd4de2ba89be0b21dba2a3bbec2e871a42a3a16719258a11f87506b
# via alembic
mako==1.1.6 \
--hash=sha256:4e9e345a41924a954251b95b4b28e14a301145b544901332e658907a7464b6b2 \
--hash=sha256:afaf8e515d075b22fad7d7b8b30e4a1c90624ff2f3733a06ec125f5a5f043a57
# via alembic
markupsafe==2.0.1 \
--hash=sha256:01a9b8ea66f1658938f65b93a85ebe8bc016e6769611be228d797c9d998dd298 \
--hash=sha256:023cb26ec21ece8dc3907c0e8320058b2e0cb3c55cf9564da612bc325bed5e64 \
--hash=sha256:0446679737af14f45767963a1a9ef7620189912317d095f2d9ffa183a4d25d2b \
--hash=sha256:04635854b943835a6ea959e948d19dcd311762c5c0c6e1f0e16ee57022669194 \
--hash=sha256:0717a7390a68be14b8c793ba258e075c6f4ca819f15edfc2a3a027c823718567 \
--hash=sha256:0955295dd5eec6cb6cc2fe1698f4c6d84af2e92de33fbcac4111913cd100a6ff \
--hash=sha256:0d4b31cc67ab36e3392bbf3862cfbadac3db12bdd8b02a2731f509ed5b829724 \
--hash=sha256:10f82115e21dc0dfec9ab5c0223652f7197feb168c940f3ef61563fc2d6beb74 \
--hash=sha256:168cd0a3642de83558a5153c8bd34f175a9a6e7f6dc6384b9655d2697312a646 \
--hash=sha256:1d609f577dc6e1aa17d746f8bd3c31aa4d258f4070d61b2aa5c4166c1539de35 \
--hash=sha256:1f2ade76b9903f39aa442b4aadd2177decb66525062db244b35d71d0ee8599b6 \
--hash=sha256:20dca64a3ef2d6e4d5d615a3fd418ad3bde77a47ec8a23d984a12b5b4c74491a \
--hash=sha256:2a7d351cbd8cfeb19ca00de495e224dea7e7d919659c2841bbb7f420ad03e2d6 \
--hash=sha256:2d7d807855b419fc2ed3e631034685db6079889a1f01d5d9dac950f764da3dad \
--hash=sha256:2ef54abee730b502252bcdf31b10dacb0a416229b72c18b19e24a4509f273d26 \
--hash=sha256:36bc903cbb393720fad60fc28c10de6acf10dc6cc883f3e24ee4012371399a38 \
--hash=sha256:37205cac2a79194e3750b0af2a5720d95f786a55ce7df90c3af697bfa100eaac \
--hash=sha256:3c112550557578c26af18a1ccc9e090bfe03832ae994343cfdacd287db6a6ae7 \
--hash=sha256:3dd007d54ee88b46be476e293f48c85048603f5f516008bee124ddd891398ed6 \
--hash=sha256:4296f2b1ce8c86a6aea78613c34bb1a672ea0e3de9c6ba08a960efe0b0a09047 \
--hash=sha256:47ab1e7b91c098ab893b828deafa1203de86d0bc6ab587b160f78fe6c4011f75 \
--hash=sha256:49e3ceeabbfb9d66c3aef5af3a60cc43b85c33df25ce03d0031a608b0a8b2e3f \
--hash=sha256:4dc8f9fb58f7364b63fd9f85013b780ef83c11857ae79f2feda41e270468dd9b \
--hash=sha256:4efca8f86c54b22348a5467704e3fec767b2db12fc39c6d963168ab1d3fc9135 \
--hash=sha256:53edb4da6925ad13c07b6d26c2a852bd81e364f95301c66e930ab2aef5b5ddd8 \
--hash=sha256:5855f8438a7d1d458206a2466bf82b0f104a3724bf96a1c781ab731e4201731a \
--hash=sha256:594c67807fb16238b30c44bdf74f36c02cdf22d1c8cda91ef8a0ed8dabf5620a \
--hash=sha256:5b6d930f030f8ed98e3e6c98ffa0652bdb82601e7a016ec2ab5d7ff23baa78d1 \
--hash=sha256:5bb28c636d87e840583ee3adeb78172efc47c8b26127267f54a9c0ec251d41a9 \
--hash=sha256:60bf42e36abfaf9aff1f50f52644b336d4f0a3fd6d8a60ca0d054ac9f713a864 \
--hash=sha256:611d1ad9a4288cf3e3c16014564df047fe08410e628f89805e475368bd304914 \
--hash=sha256:6300b8454aa6930a24b9618fbb54b5a68135092bc666f7b06901f897fa5c2fee \
--hash=sha256:63f3268ba69ace99cab4e3e3b5840b03340efed0948ab8f78d2fd87ee5442a4f \
--hash=sha256:6557b31b5e2c9ddf0de32a691f2312a32f77cd7681d8af66c2692efdbef84c18 \
--hash=sha256:693ce3f9e70a6cf7d2fb9e6c9d8b204b6b39897a2c4a1aa65728d5ac97dcc1d8 \
--hash=sha256:6a7fae0dd14cf60ad5ff42baa2e95727c3d81ded453457771d02b7d2b3f9c0c2 \
--hash=sha256:6c4ca60fa24e85fe25b912b01e62cb969d69a23a5d5867682dd3e80b5b02581d \
--hash=sha256:6fcf051089389abe060c9cd7caa212c707e58153afa2c649f00346ce6d260f1b \
--hash=sha256:7d91275b0245b1da4d4cfa07e0faedd5b0812efc15b702576d103293e252af1b \
--hash=sha256:89c687013cb1cd489a0f0ac24febe8c7a666e6e221b783e53ac50ebf68e45d86 \
--hash=sha256:8d206346619592c6200148b01a2142798c989edcb9c896f9ac9722a99d4e77e6 \
--hash=sha256:905fec760bd2fa1388bb5b489ee8ee5f7291d692638ea5f67982d968366bef9f \
--hash=sha256:97383d78eb34da7e1fa37dd273c20ad4320929af65d156e35a5e2d89566d9dfb \
--hash=sha256:984d76483eb32f1bcb536dc27e4ad56bba4baa70be32fa87152832cdd9db0833 \
--hash=sha256:99df47edb6bda1249d3e80fdabb1dab8c08ef3975f69aed437cb69d0a5de1e28 \
--hash=sha256:9f02365d4e99430a12647f09b6cc8bab61a6564363f313126f775eb4f6ef798e \
--hash=sha256:a30e67a65b53ea0a5e62fe23682cfe22712e01f453b95233b25502f7c61cb415 \
--hash=sha256:ab3ef638ace319fa26553db0624c4699e31a28bb2a835c5faca8f8acf6a5a902 \
--hash=sha256:aca6377c0cb8a8253e493c6b451565ac77e98c2951c45f913e0b52facdcff83f \
--hash=sha256:add36cb2dbb8b736611303cd3bfcee00afd96471b09cda130da3581cbdc56a6d \
--hash=sha256:b2f4bf27480f5e5e8ce285a8c8fd176c0b03e93dcc6646477d4630e83440c6a9 \
--hash=sha256:b7f2d075102dc8c794cbde1947378051c4e5180d52d276987b8d28a3bd58c17d \
--hash=sha256:baa1a4e8f868845af802979fcdbf0bb11f94f1cb7ced4c4b8a351bb60d108145 \
--hash=sha256:be98f628055368795d818ebf93da628541e10b75b41c559fdf36d104c5787066 \
--hash=sha256:bf5d821ffabf0ef3533c39c518f3357b171a1651c1ff6827325e4489b0e46c3c \
--hash=sha256:c47adbc92fc1bb2b3274c4b3a43ae0e4573d9fbff4f54cd484555edbf030baf1 \
--hash=sha256:cdfba22ea2f0029c9261a4bd07e830a8da012291fbe44dc794e488b6c9bb353a \
--hash=sha256:d6c7ebd4e944c85e2c3421e612a7057a2f48d478d79e61800d81468a8d842207 \
--hash=sha256:d7f9850398e85aba693bb640262d3611788b1f29a79f0c93c565694658f4071f \
--hash=sha256:d8446c54dc28c01e5a2dbac5a25f071f6653e6e40f3a8818e8b45d790fe6ef53 \
--hash=sha256:deb993cacb280823246a026e3b2d81c493c53de6acfd5e6bfe31ab3402bb37dd \
--hash=sha256:e0f138900af21926a02425cf736db95be9f4af72ba1bb21453432a07f6082134 \
--hash=sha256:e9936f0b261d4df76ad22f8fee3ae83b60d7c3e871292cd42f40b81b70afae85 \
--hash=sha256:f0567c4dc99f264f49fe27da5f735f414c4e7e7dd850cfd8e69f0862d7c74ea9 \
--hash=sha256:f5653a225f31e113b152e56f154ccbe59eeb1c7487b39b9d9f9cdb58e6c79dc5 \
--hash=sha256:f826e31d18b516f653fe296d967d700fddad5901ae07c622bb3705955e1faa94 \
--hash=sha256:f8ba0e8349a38d3001fae7eadded3f6606f0da5d748ee53cc1dab1d6527b9509 \
--hash=sha256:f9081981fe268bd86831e5c75f7de206ef275defcb82bc70740ae6dc507aee51 \
--hash=sha256:fa130dd50c57d53368c9d59395cb5526eda596d3ffe36666cd81a44d56e48872
# via mako
sqlalchemy[asyncio]==1.4.27 \
--hash=sha256:015511c52c650eebf1059ed8a21674d9d4ae567ebfd80fc73f8252faccd71864 \
--hash=sha256:0438bccc16349db2d5203598be6073175ce16d4e53b592d6e6cef880c197333e \
--hash=sha256:10230364479429437f1b819a8839f1edc5744c018bfeb8d01320930f97695bc9 \
--hash=sha256:2146ef996181e3d4dd20eaf1d7325eb62d6c8aa4dc1677c1872ddfa8561a47d9 \
--hash=sha256:24828c5e74882cf41516740c0b150702bee4c6817d87d5c3d3bafef2e6896f80 \
--hash=sha256:2717ceae35e71de1f58b0d1ee7e773d3aab5c403c6e79e8d262277c7f7f95269 \
--hash=sha256:2e93624d186ea7a738ada47314701c8830e0e4b021a6bce7fbe6f39b87ee1516 \
--hash=sha256:435b1980c1333ffe3ab386ad28d7b209590b0fa83ea8544d853e7a22f957331b \
--hash=sha256:486f7916ef77213103467924ef25f5ea1055ae901f385fe4d707604095fdf6a9 \
--hash=sha256:4ac8306e04275d382d6393e557047b0a9d7ddf9f7ca5da9b3edbd9323ea75bd9 \
--hash=sha256:4d1d707b752137e6bf45720648e1b828d5e4881d690df79cca07f7217ea06365 \
--hash=sha256:52f23a76544ed29573c0f3ee41f0ca1aedbab3a453102b60b540cc6fa55448ad \
--hash=sha256:5beeff18b4e894f6cb73c8daf2c0d8768844ef40d97032bb187d75b1ec8de24b \
--hash=sha256:6510f4a5029643301bdfe56b61e806093af2101d347d485c42a5535847d2c699 \
--hash=sha256:6afa9e4e63f066e0fd90a21db7e95e988d96127f52bfb298a0e9bec6999357a9 \
--hash=sha256:771eca9872b47a629010665ff92de1c248a6979b8d1603daced37773d6f6e365 \
--hash=sha256:78943451ab3ffd0e27876f9cea2b883317518b418f06b90dadf19394534637e9 \
--hash=sha256:8327e468b1775c0dfabc3d01f39f440585bf4d398508fcbbe2f0d931c502337d \
--hash=sha256:8dbe5f639e6d035778ebf700be6d573f82a13662c3c2c3aa0f1dba303b942806 \
--hash=sha256:9134e5810262203388b203c2022bbcbf1a22e89861eef9340e772a73dd9076fa \
--hash=sha256:9369f927f4d19b58322cfea8a51710a3f7c47a0e7f3398d94a4632760ecd74f6 \
--hash=sha256:987fe2f84ceaf744fa0e48805152abe485a9d7002c9923b18a4b2529c7bff218 \
--hash=sha256:a5881644fc51af7b232ab8d64f75c0f32295dfe88c2ee188023795cdbd4cf99b \
--hash=sha256:a81e40dfa50ed3c472494adadba097640bfcf43db160ed783132045eb2093cb1 \
--hash=sha256:aadc6d1e58e14010ae4764d1ba1fd0928dbb9423b27a382ea3a1444f903f4084 \
--hash=sha256:ad8ec6b69d03e395db48df8991aa15fce3cd23e378b73e01d46a26a6efd5c26d \
--hash=sha256:b02eee1577976acb4053f83d32b7826424f8b9f70809fa756529a52c6537eda4 \
--hash=sha256:bac949be7579fed824887eed6672f44b7c4318abbfb2004b2c6968818b535a2f \
--hash=sha256:c035184af4e58e154b0977eea52131edd096e0754a88f7d5a847e7ccb3510772 \
--hash=sha256:c7d0a1b1258efff7d7f2e6cfa56df580d09ba29d35a1e3f604f867e1f685feb2 \
--hash=sha256:cc49fb8ff103900c20e4a9c53766c82a7ebbc183377fb357a8298bad216e9cdd \
--hash=sha256:d768359daeb3a86644f3854c6659e4496a3e6bba2b4651ecc87ce7ad415b320c \
--hash=sha256:d81c84c9d2523b3ea20f8e3aceea68615768a7464c0f9a9899600ce6592ec570 \
--hash=sha256:ec1c908fa721f2c5684900cc8ff75555b1a5a2ae4f5a5694eb0e37a5263cea44 \
--hash=sha256:fa52534076394af7315306a8701b726a6521b591d95e8f4e5121c82f94790e8d \
--hash=sha256:fd421a14edf73cfe01e8f51ed8966294ee3b3db8da921cacc88e497fd6e977af
# via
# -r requirements.in
# alembic
zipp==3.6.0 \
--hash=sha256:71c644c5369f4a6e07636f0aa966270449561fcea2e3d6747b8d23efaa9d7832 \
--hash=sha256:9fe5ea21568a0a70e50f273397638d39b03353731e6cbbb3fd8502a33fec40bc
# via
# importlib-metadata
# importlib-resources
Result:
$ docker run -v `pwd`:/tmp -it python python -m pip install -r /tmp/requirements.txt
Collecting alembic==1.7.5
Downloading alembic-1.7.5-py3-none-any.whl (209 kB)
|████████████████████████████████| 209 kB 1.9 MB/s
Collecting greenlet==1.1.2
Downloading greenlet-1.1.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (153 kB)
|████████████████████████████████| 153 kB 3.0 MB/s
Collecting importlib-metadata==4.8.2
Downloading importlib_metadata-4.8.2-py3-none-any.whl (17 kB)
Collecting importlib-resources==5.4.0
Downloading importlib_resources-5.4.0-py3-none-any.whl (28 kB)
Collecting mako==1.1.6
Downloading Mako-1.1.6-py2.py3-none-any.whl (75 kB)
|████████████████████████████████| 75 kB 2.0 MB/s
Collecting markupsafe==2.0.1
Downloading MarkupSafe-2.0.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (30 kB)
Collecting sqlalchemy[asyncio]==1.4.27
Downloading SQLAlchemy-1.4.27-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (1.6 MB)
|████████████████████████████████| 1.6 MB 2.1 MB/s
Collecting zipp==3.6.0
Downloading zipp-3.6.0-py3-none-any.whl (5.3 kB)
Collecting SQLAlchemy>=1.3.0
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
SQLAlchemy>=1.3.0 from https://files.pythonhosted.org/packages/8a/40/de81014e1ddcef95a7fd6cf12f3e72e771fe5709a6b3f6129146fc69ba45/SQLAlchemy-1.4.28-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl#sha256=2019b332cf4f9a513133fdf056dc4cecec7fbae7016ebc574d0f310103eed7ee (from alembic==1.7.5->-r /tmp/requirements.txt (line 7))
Kicking the can down the road for this, since this needs someone to step up, sit with the resolver and a debugger and spend a decent amount of time on this. That hasn't happened yet, and I don't think it's happening for this release.
@di pip@main branch works with your example @cas-- and does not work with yours... (4.12.0, but works with latest botframework-connector) https://github.com/pypa/pip/issues/9644#issue-813456623 still fails
this should be fixed by https://github.com/pypa/pip/issues/9243#issuecomment-756072721, because the problem is not extras. @pradyunsg where should pip check if only one candidate is available?
Experiencing similar issue when using poetry and pip:
requirements.txt (snippet):
tzdata==2022.1; python_version >= "3.6" and python_full_version < "3.0.0" and platform_system == "Windows" or python_full_version >= "3.6.0" and python_version < "4" and python_version >= "3.6" and platform_system == "Windows" \
--hash=sha256:238e70234214138ed7b4e8a0fab0e5e13872edab3be586ab8198c407620e2ab9 \
--hash=sha256:8b536a8ec63dc0751342b3984193a3118f8fca2afe25752bb9b7fffd398552d3
but still get the following error when I run pip install -r requirements.txt:
Collecting tzdata
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
tzdata from http://.../tzdata-2022.1-py2.py3-none-any.whl#sha256=238e70234214138ed7b4e8a0fab0e5e13872edab3be586ab8198c407620e2ab9 (from pytz-deprecation-shim==0.1.0.post0->-r /requirements.txt (line 168))
