Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't trust link hash in direct URL dependencies #11938

Merged
merged 3 commits into from
Apr 10, 2023

Conversation

sbidoul
Copy link
Member

@sbidoul sbidoul commented Apr 8, 2023

When package A depends on package B provided as a direct URL dependency including a hash embedded in the link, the --require-hashes option did not warn when user supplied hashes were missing for package B.

Also add a some more test coverage for link hash validation.

@sbidoul sbidoul added this to the 23.1 milestone Apr 8, 2023
@sbidoul sbidoul force-pushed the fix-direct-url-hash-trusted-sbi branch from cc36902 to d0cf1ad Compare April 8, 2023 17:04
When a direct URL with hash is provided as a dependency, --require-hash
incorrectly considered the link hash as trusted.
@sbidoul sbidoul force-pushed the fix-direct-url-hash-trusted-sbi branch from b92e496 to 453a5a7 Compare April 10, 2023 11:21
@sbidoul
Copy link
Member Author

sbidoul commented Apr 10, 2023

Rebased, 🟢 and approved, so merging. Thanks for the review @uranusjr !

@sbidoul sbidoul merged commit 5d4a974 into pypa:main Apr 10, 2023
@sbidoul sbidoul deleted the fix-direct-url-hash-trusted-sbi branch April 10, 2023 14:43
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 27, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants