New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tox4: fails to process requirement files with --hash #2373
Comments
Remove hashes from the deps pins as they are not compatible with either dependabot or tox4. Related: tox-dev/tox#2373
PRs are welcome 👍 Note we do support hashes, see https://github.com/tox-dev/tox/blob/rewrite/tests/tox_env/python/pip/req/test_file.py#L241-L272, so there must be some edge case with it. |
I'm seeing this too with the beta 2 release, e.g. this run
After a little debugging I can see that the support for I think the problem is that the parser from |
Add a test case for issue tox-dev#2373 * Specifying `--hash` in the deps list doesn't work (pip would reject this anyway). * Specifying `--hash` in a requirements.txt file named in the deps list should work, and recursive parsing should correctly extract the hash.
Remove `cli_only` parameter from `build_parser`. Remove special case handling for `--hash` option (only valid in requirements.txt files, not `pip install`). Validate options in PythonDeps._parse_requirements: * Only check "cli_only" logic for ParsedRequirement objects that directly come from the PythonDeps. * Allow included requirements.txt lines to correctly parse `--hash` (Fix tox-dev#2373). * Provides a more contextual error message to end users when `--hash` is used in the deps list.
…2547) * [test case] tox4: fails to process requirement files with --hash Add a test case for issue #2373 * Specifying `--hash` in the deps list doesn't work (pip would reject this anyway). * Specifying `--hash` in a requirements.txt file named in the deps list should work, and recursive parsing should correctly extract the hash. * PythonDeps: move cli_only handling logic to _parse_requirements Remove `cli_only` parameter from `build_parser`. Remove special case handling for `--hash` option (only valid in requirements.txt files, not `pip install`). Validate options in PythonDeps._parse_requirements: * Only check "cli_only" logic for ParsedRequirement objects that directly come from the PythonDeps. * Allow included requirements.txt lines to correctly parse `--hash` (Fix #2373). * Provides a more contextual error message to end users when `--hash` is used in the deps list. * changelog for issue #2373
There is a regression on tox4 where it fails to parse requirement files that contain hashes. While these are not very popular they are still the recommended for security reasons as they protect against potential hacks on pypi registry.
Example of file that causes tox4 to fail, while it works fine with tox3: https://github.com/ansible/ansible-language-server/blob/v0.5.0/docs/requirements.txt
It should be remarked that these files are produced by pip-compile (pip-tools).
Note: I temporary removed the hashes from the lock file but we cannot really ignore this issue.
The text was updated successfully, but these errors were encountered: