-
Notifications
You must be signed in to change notification settings - Fork 482
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: pip install -e .
dinged for not using hashes, but it can't
#2228
Comments
Thanks for the report. So I think the fix is for scorecard to verify that no
Do you think ignoring |
Definitely ignoring |
I don't know how the URL works. Does pip fetch the URL and search for a requirement.txt? Or does it simply take the URL as being the source code? Is the source code guaranteed to be immutable (which is the property we're looking for)? |
The local file path or the URL are the same: they are a place to get an installable directory of files. A difference is that the URL could include a SHA that would make it immutable. So perhaps the rule should be a local file path, or a URL with a SHA? |
Yes that would work. Can you provide an example of |
This seems to be the best docs: https://pip.pypa.io/en/stable/topics/vcs-support/ Some syntaxes to support (shell quoting may or may not be needed, and of course -e is possible):
Are shortened hashes OK?
|
Maybe the simplest solution is to match against |
Thanks for the link! |
Sure, that couldn't hurt. Ping me on the change, I would like to understand better how this code works. |
Thanks, but I've never written Go, so you should not wait for a pull request from me... :) |
Describe the bug
My project (https://deps.dev/pypi/coverage) gets a warning about pinned dependencies:
The line in question is:
I think scorecard is looking for the
--require-hashes
option, but it's not allowed with-e
. This is what happens when I try:The text was updated successfully, but these errors were encountered: