Order of hashes in pip lock file #4321

pcorpet · 2021-10-15T07:51:05Z

Dependabot is creating commits with diffs that are conflicting with other tools, because the order of the hash values is not lexicographical.

--- a/third_party/requirements_lock.txt
+++ b/third_party/requirements_lock.txt
-certifi==2021.5.30 \
-    --hash=sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee \
-    --hash=sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8
+certifi==2021.10.8 \
+    --hash=sha256:d62a0163eb4c2344ac042ab2bdf75399a71a2d8c7d47eac2e2ee91b9d6339569 \
+    --hash=sha256:78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872

Note that the second hash value starts with 7 which should be before the first one starting with d.

The fix could be in here. I've pinged the underlying library to check if we could expect the ordering to be lexicographical as well.

The text was updated successfully, but these errors were encountered:

jurre · 2021-10-15T08:52:54Z

Thanks for reporting this! Let's see what the hashin maintainer says, if they're not able to fix it on their end right now we can patch it up on our side.

pcorpet · 2022-01-10T08:16:54Z

@jurre, hashin v0.17.0 is out and contain my fix. As soon as #4610 is accepted and merged, we can close this bug.

xlgmokha added L: python:pip Python packages via pip T: bug 🐞 Something isn't working labels Nov 4, 2021

jeffwidman closed this as completed Feb 4, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Order of hashes in pip lock file #4321

Order of hashes in pip lock file #4321

pcorpet commented Oct 15, 2021

jurre commented Oct 15, 2021

pcorpet commented Jan 10, 2022

Order of hashes in pip lock file #4321

Order of hashes in pip lock file #4321

Comments

pcorpet commented Oct 15, 2021

jurre commented Oct 15, 2021

pcorpet commented Jan 10, 2022