pipenv-generated requirements.txt makes pip complain about require-hashes mode

Created on 25 Feb 2018 · 5Comments · Source: pypa/pipenv

The requirements.txt generated by pipenv lock -r, makes pip install -r requirements.txt -t . to generate the following error:

In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    setuptools>=0.6b1 from https://pypi.python.org/packages/43/41/033a273f9a25cb63050a390ee8397acbc7eae2159195d85f06f17e7be45a/setuptools-38.5.1-py2.py3-none-any.whl#md5=908b8b5e50bf429e520b2b5fa1b350e5 (from injector==0.13.4->-r requirements.txt (line 5))

Describe the issue briefly here.

Describe your environment

OS Type: MacOS X 10.12.6 with macports
Python version: 3.6.4
Pipenv version: 10.1.0

Expected result

Dependencies being installed in current directory.

Actual result

Collecting certifi==2018.1.18 (from -r requirements.txt (line 1))
  Using cached certifi-2018.1.18-py2.py3-none-any.whl
Collecting chardet==3.0.4 (from -r requirements.txt (line 2))
  Using cached chardet-3.0.4-py2.py3-none-any.whl
Collecting click==6.7 (from -r requirements.txt (line 3))
  Using cached click-6.7-py2.py3-none-any.whl
Collecting idna==2.6 (from -r requirements.txt (line 4))
  Using cached idna-2.6-py2.py3-none-any.whl
Collecting injector==0.13.4 (from -r requirements.txt (line 5))
  Using cached injector-0.13.4-py2.py3-none-any.whl
Collecting purl==1.3.1 (from -r requirements.txt (line 6))
  Using cached purl-1.3.1-py2.py3-none-any.whl
Collecting python-dotenv==0.7.1 (from -r requirements.txt (line 7))
  Using cached python_dotenv-0.7.1-py2.py3-none-any.whl
Collecting requests==2.18.4 (from -r requirements.txt (line 8))
  Using cached requests-2.18.4-py2.py3-none-any.whl
Collecting six==1.11.0 (from -r requirements.txt (line 9))
  Using cached six-1.11.0-py2.py3-none-any.whl
Collecting typing==3.6.4 (from -r requirements.txt (line 10))
  Using cached typing-3.6.4-py3-none-any.whl
Collecting urllib3==1.22 (from -r requirements.txt (line 11))
  Using cached urllib3-1.22-py2.py3-none-any.whl
Collecting voluptuous==0.11.1 (from -r requirements.txt (line 12))
  Using cached voluptuous-0.11.1-py2.py3-none-any.whl
Collecting setuptools>=0.6b1 (from injector==0.13.4->-r requirements.txt (line 5))
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    setuptools>=0.6b1 from https://pypi.python.org/packages/43/41/033a273f9a25cb63050a390ee8397acbc7eae2159195d85f06f17e7be45a/setuptools-38.5.1-py2.py3-none-any.whl#md5=908b8b5e50bf429e520b2b5fa1b350e5 (from injector==0.13.4->-r requirements.txt (line 5))

Steps to replicate

With this Pipfile

[[source]]

url = "https://pypi.python.org/simple"
verify_ssl = true
name = "pypi"


[packages]

purl = "*"
requests = "*"
python-dotenv = "*"
injector = "*"
voluptuous = "*"


[dev-packages]

"boto3" = "*"
pytest = "*"
pytest-mock = "*"
selenium = "*"
bpython = "*"
awscli = "*"

Execute

mkdir target
pipenv lock -r > target/requirements.txt
cd target && pip install -r requirements.txt -t .

Source

c-garcia

👍2

Most helpful comment

fixed in master

kennethreitz42 on 28 Feb 2018

👍3

All 5 comments

perhaps the solution here is to include BAD_PACKAGES in requirements.txt

kennethreitz42 on 25 Feb 2018

I am not sure that I am able to gather all the implications but it looks like you are right. Just in case it gives you some guidance, the purpose of the commands above was to generate a zip file suitable to run as an AWS Lambda function, where normally all dependencies are copied to the package root level at build time.

c-garcia on 27 Feb 2018

Should we include BAD_PACKAGES by default? All of them? If not, which ones?