poetry-plugin-export icon indicating copy to clipboard operation
poetry-plugin-export copied to clipboard

Published 20 hours ago verified publisher icon python-poetry

Hashes should get included with url dependencies in exported requirements.txt

Open blueyed opened this issue 2 years ago • 2 comments

  • Poetry version: Poetry (version 1.2.2)
  • Python version: 3.11.0
  • OS version and name: Arch Linux
  • pyproject.toml: -
  • [x] I am on the latest stable Poetry version, installed using a recommended method.
  • [x] I have searched the issues of this repo and believe that this is not a duplicate.
  • [x] I have consulted the FAQ and blog for any relevant entries or release notes.
  • [x] If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

Given something along django-fsm-admin = { url = "https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip" } in [tool.poetry.dependencies] it results in django-fsm-admin @ https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip ; python_version >= "3.11" and python_version < "4.0" when using poetry export -f requirements.txt -o "requirements-main.txt" --only=main.

When using pip install -r requirements-main.txt it causes the following error:

ERROR: Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.) https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip --hash=sha256:32bc3205cec3ec83a78dd0fd0b5f02f25d81a9689493c2580c8fdb4e02c6f4ec

I think with "url" requirements hashes can and should get included in the exported file.

For reference: this was fixed in PDM in https://github.com/pdm-project/pdm/commit/1a1f8748 (via https://github.com/pdm-project/pdm/issues/1103), where the output in requirements.txt looks as follows:

django-fsm-admin @ https://github.com/infarm/django-fsm-admin/archive/38f2719935be16a7c01d110651ad8ea8383bbe1d.zip \
    --hash=sha256:32bc3205cec3ec83a78dd0fd0b5f02f25d81a9689493c2580c8fdb4e02c6f4ec

blueyed avatar Nov 24 '22 16:11 blueyed

duplicate #146

and as there IMO this belongs in poetry proper rather than here: if poetry were to include hashes in the lockfile then this plugin would automatically export them

dimbleby avatar Nov 24 '22 22:11 dimbleby

This should be resolved with https://github.com/python-poetry/poetry/pull/7121

dunkmann00 avatar Dec 07 '22 20:12 dunkmann00