Search code examples
pippython-3.8requirements.txtpip-compile

Getting "ERROR: In --require-hashes mode, all requirements must have their versions pinned with"

I want to use SHA256 hashes for installing pip packages and I have all dependencies pinned in requirements.in like this

apache-beam[gcp]==2.38.0
beautifulsoup4==4.10.0
bleach==4.1.0
certifi==2021.5.30
deepdiff==5.8.1
defusedxml==0.7.1
elasticsearch==7.17.0
firebase-admin==5.2.0
future==0.18.2
googledatastore==7.0.2
google-cloud-storage==2.1.0
google-auth==1.35.0
google-cloud-dataflow-client==0.3.1
google-cloud-logging==3.0.0
google-cloud-ndb==1.11.1
google-cloud-secret-manager==2.12.4
google-cloud-tasks==2.7.2
google-cloud-translate==3.6.1
gunicorn==20.1.0
html5lib==1.1
mailchimp3==3.0.15
mutagen==1.45.1
pillow==9.0.1
pylatexenc==2.10
pytest==6.2.5
PyYAML==6.0
redis==3.5.3
requests==2.26.0
requests-mock==1.9.3
requests-toolbelt==0.9.1
result==0.6.0
rsa==4.7.2
simplejson==3.17.5
six==1.16.0
soupsieve==2.3.1
typing-extensions==3.10.0.2
urllib3==1.26.7
webapp2==3.0.0b1
webencodings==0.5.1

FYI, I am using pip 22.1.1, python 3.8.15 and pip-compile 6.6.2. To generate hash, I used pip-compile --generate-hashes requirements.in and then pip install --require-hashes -r requirements.txt to enable hash verification. But I am getting error like this:

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    google-api-core[grpc]<3.0.0dev,>=1.22.1 from https://files.pythonhosted.org/packages/f7/24/a17e75c733609dce285a2dae6f56837d69a9566963c9d1cab96d788546c8/google_api_core-2.11.0-py3-none-any.whl (from firebase-admin==5.2.0->-r requirements.txt (line 179))

Please help me to understand the reason of this error and how to resolve it. Thanks

I am expecting to install the dependencies(with hash verification) without any error.

Solution

  • It still seems like an issue with pip and I found this issue exactly stating what I am trying to point out. In those error logs of my question, pip installed the latest version of google-api-core when the version was already pinned. It's more likely because of that extra grpc.

    Two solutions worked for me.

    1. Using --no-deps which will prevent pip to look for dependencies at the installation time. I think it makes sense since dependencies are already resolved while generating the requirements file. The command will be

    pip install --require-hashes --no-deps -r requirements.txt

    1. Using --use-deprecated=legacy-resolver option and the command will be

    pip install --require-hashes --use-deprecated=legacy-resolver -r requirements.txt