Some way to pass "--hash" on the CLI or to ignore file:/// uris when using --require-hashes

graingert · September 19, 2020, 12:18pm

Currently I’m working around this with a custom install command, that hashes any file requirement arg and puts it into a requirements file before passing it onto pip here: https://github.com/PyCQA/modernize/pull/228/files#diff-256be86b218458267e29f38e19906417R72

I’m also proposing to use this work-around in tox https://github.com/tox-dev/tox/issues/1672

I think it would be neater to have a --require-hashes-only-for-remote-requirements flag or similar

graingert · August 15, 2021, 1:11pm

Topic		Replies	Views
Constraints files with hashes Packaging	10	2068	August 31, 2022
Error: these packages do not match the hashes from the requirements file Packaging	4	20853	August 12, 2020
Pip-secure-install: GitHub Action to always use secure install settings from pip Packaging	2	616	January 26, 2022
Dependency notation including the index URL Packaging	59	26751	November 13, 2020
Lightweight alternative to `pip check`? Packaging	5	525	August 24, 2023