https://pantsbuild.org/ logo
#general
Title
# general
b

brash-student-40401

12/08/2022, 4:55 PM
I created a package and put it out on my CodeArtifact repo. To test if everything worked, I put it in my
requirements.txt
and tried updating my lockfile. This is consistently throwing an error now:
Copy code
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    dandelion from <https://XXX.d.codeartifact.us-west-2.amazonaws.com/pypi/XXX/simple/app/0.0.1/app-0.0.1.tar.gz#sha256=hash>:
        Expected sha256 hash
             Got        different hash
The expected hash is the one I see on CodeArtifact. My guess is that the "Got" one is from an earlier version that is cached - how can I do something like pip's
--no-cache-dir
to get around this?
e

enough-analyst-54434

12/08/2022, 5:10 PM
So ... you're mutating app 0.0.1 out in the CodeArtifact such that its hash changes from time to time?
b

brash-student-40401

12/08/2022, 5:12 PM
no - I uploaded a version, tried to download it, realized there was a problem, deleted/reuploaded (v0.0.1), tried again. This should be the only time I mess with this same version, everything from now on should be "correct"
e

enough-analyst-54434

12/08/2022, 5:13 PM
Delete / re-upload is another name for mutation! SO that will never work with a lock file. You need to re-generate the lock.
Basically, mutating artifacts in artifact repos in any ecosystem (maven central, pypi, etc) is never good! Don't do it!.
Just bump the patch version.
Versions are cheap and you let them keep their meaning as unique things.
b

brash-student-40401

12/08/2022, 5:15 PM
gotcha, thanks!
(for the record,
rm ~/.cache/* -rf
also worked 🙂 )
e

enough-analyst-54434

12/08/2022, 5:17 PM
Ok, but that only works because - presumably - you are the sole producer and consumer. If you did that for a project that had 18 dependents out in the wild, bad news for them.
b

brash-student-40401

12/08/2022, 7:18 PM
yes, this is my own toy for now!
2 Views