I created a package and put it out on my CodeArtif...
# general
I created a package and put it out on my CodeArtifact repo. To test if everything worked, I put it in my
and tried updating my lockfile. This is consistently throwing an error now:
Copy code
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    dandelion from <https://XXX.d.codeartifact.us-west-2.amazonaws.com/pypi/XXX/simple/app/0.0.1/app-0.0.1.tar.gz#sha256=hash>:
        Expected sha256 hash
             Got        different hash
The expected hash is the one I see on CodeArtifact. My guess is that the "Got" one is from an earlier version that is cached - how can I do something like pip's
to get around this?
So ... you're mutating app 0.0.1 out in the CodeArtifact such that its hash changes from time to time?
no - I uploaded a version, tried to download it, realized there was a problem, deleted/reuploaded (v0.0.1), tried again. This should be the only time I mess with this same version, everything from now on should be "correct"
Delete / re-upload is another name for mutation! SO that will never work with a lock file. You need to re-generate the lock.
Basically, mutating artifacts in artifact repos in any ecosystem (maven central, pypi, etc) is never good! Don't do it!.
Just bump the patch version.
Versions are cheap and you let them keep their meaning as unique things.
gotcha, thanks!
(for the record,
rm ~/.cache/* -rf
also worked 🙂 )
Ok, but that only works because - presumably - you are the sole producer and consumer. If you did that for a project that had 18 dependents out in the wild, bad news for them.
yes, this is my own toy for now!