Missing package hashes in poetry lockfiles following PyPI warehouse change
The warehouse project (PyPI) applied a breaking change around the end July 2022 which affects poetry lock.
The releases key is no longer present in certain API responses which poetry versions before 1.1.14 relied on to get release artifact hashes.
This can result in poetry installing dependencies without all of their hashes being stored in pyproject.toml, which can cause downstream issues like pip install failures, especially in CI environments where the output of poetry export --format requirements.txt is passed to pip install.
For example:
ERROR: Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.)
charset-normalizer==2.1.0 --hash=sha256:5189b6f22b01957427f35b6a08d9a0bc45b46d3788ef5a92e978433c7a35f8a5
Command /bin/sh -c '${VENV_LOCATION}/bin/pip install --requirement requirements.txt' failed with exit code 1
If you’ve gotten yourself into this situation, you can fix it by upgrading to poetry 1.1.14 or later and running:
poetry cache clear artifact --all
poetry cache clear pypi --all
rm poetry.lock
poetry install
References
- “Breaking Change in Warehouse Breaks Poetry Lock File Creation · Issue #5970 · Python-Poetry/Poetry.” Accessed August 23, 2022. https://github.com/python-poetry/poetry/issues/5970.
- GitHub. “Exported Requirements.Txt Fails to Install · Issue #6041 · Python-Poetry/Poetry.” Accessed August 23, 2022. https://github.com/python-poetry/poetry/issues/6041.
- GitHub. “Don’t Render All Releases on Version Specific JSON Pages by Dstufft · Pull Request #11775 · Pypi/Warehouse.” Accessed August 23, 2022. https://github.com/pypi/warehouse/pull/11775.