search

pypa / pip-audit

Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them
https://pypi.org/project/pip-audit/
Apache License 2.0
960 stars 63 forks source link

Support upgrading hashes with `--fix` #589

Open q0w opened 1 year ago

q0w commented 1 year ago

Bug description

pip-audit --fix does not update package hashes

Reproduction steps

echo "redis==4.4.3" > requirements.in
pip-compile -q --allow-unsafe --generate-hashes --resolver=backtracking --strip-extras
pip-audit -r requirements.txt --require-hashes --no-deps --fix

Expected behavior

pip-audit --fix updates not only package versions but also package hashes.

Screenshots and logs

before

#
# This file is autogenerated by pip-compile with Python 3.10
# by the following command:
#
#    pip-compile --allow-unsafe --generate-hashes --resolver=backtracking --strip-extras
#
async-timeout==4.0.2 \
    --hash=sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15 \
    --hash=sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c
    # via redis
redis==4.4.3 \
    --hash=sha256:9ba159120f909198e8a53053b0fb2e1593decfe1404d17589c7039e186489d48 \
    --hash=sha256:ff1345ad81bfafc41374b7089b5a6d37d862a4ce101c139e5675f31cf46b5539
    # via -r requirements.in

after

#
# This file is autogenerated by pip-compile with Python 3.10
# by the following command:
#
#    pip-compile --allow-unsafe --generate-hashes --resolver=backtracking --strip-extras
#
async-timeout==4.0.2 \
    --hash=sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15 \
    --hash=sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c
# via redis
redis==4.4.4 \
    --hash=sha256:9ba159120f909198e8a53053b0fb2e1593decfe1404d17589c7039e186489d48 \
    --hash=sha256:ff1345ad81bfafc41374b7089b5a6d37d862a4ce101c139e5675f31cf46b5539
# via -r requirements.in

Platform information

Additional context

woodruffw commented 1 year ago

Thanks for the report @q0w -- like #564, this sounds like a bug, so we'd appreciate it if you'd use the bug template.

q0w commented 1 year ago

Updated

woodruffw commented 1 year ago

Thanks! Assigning @tetsuo-cpp for triage.

tetsuo-cpp commented 1 year ago

Thanks for reporting this @q0w! We should definitely support updating hashes with --fix.

tetsuo-cpp commented 1 year ago

@di We discussed this issue briefly yesterday. I can confirm that we've never supported this before so this isn't a 2.5.x regression. I think it's still worth making this one a priority though.