Packages do not match previous hashes

[alexbaileyuk]

At some point in the last 7 days (build cache time), the hashes for Gunicorn appear to have changed.

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    gunicorn==20.1.0 from https://files.pythonhosted.org/packages/e4/dd/5b190393e6066286773a67dfcc2f9492058e9b57c4867a95f1ba5caf0a83/gunicorn-20.1.0-py3-none-any.whl (from -r /tmp/pipenv-g7_1pdnq-requirements/pipenv-d64a8p6k-hashed-reqs.txt (line 32)):
        Expected sha256 e0a968b5ba15f8a328fdfd7ab1fcb5af4470c28aaf7e55df02a99bc13138e6e8
             Got        9dcc4547dbb1cb284accfb15ab5667a0e5d1881cc443e0677b4882a4067a807e

Our Pipefile and Pipefile.lock haven't changed since 2021.

Is this something anyone has come across or could this be a valid security concern? I wouldn't have expected the SHA256 hash to change and pipenv doesn't like it when running.

pipefile.lock.txt
pipfile.txt

[alexbaileyuk]

Thanks to https://stackoverflow.com/questions/74306906/pipenv-package-hash-does-not-match-lock-file we now know that the other file (.whl) is being used. I will close this.