Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New dependencies in requirements.txt should include --hash #262

Closed
drdavella opened this issue Feb 14, 2024 · 0 comments · Fixed by #273
Closed

New dependencies in requirements.txt should include --hash #262

drdavella opened this issue Feb 14, 2024 · 0 comments · Fixed by #273
Assignees
@clavedeluna
Labels
enhancement New feature or request

Comments

@drdavella
Copy link
Member

Details

Using --hash when describing dependencies in requirements.txt would help to ensure that the right version is being used and validate against any potential supply chain attacks. In requirements.txt it ends up looking something like this:

SomeLibrary==1.2.3 --hash=sha256:abcdef123456...

We should make sure to add the --hash value when updating requirements.txt files. This means that it will be necessary to encode the sha256 from PyPI in the dependency object itself. We should definitely do this for our security package and we should probably do it for defusedxml as well.

As far as I can tell, using --hash is not valid with our other dependency locations such as setup.py and pyproject.toml, but it bears a bit of further investigation.

This idea was originally proposed in pixee/python-security#10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@clavedeluna clavedeluna

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
2 participants
@drdavella @clavedeluna