I created a package and put it out on my CodeArtifact repo. To test if everything worked, I put it in my

requirements.txt

and tried updating my lockfile. This is consistently throwing an error now:

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    dandelion from <https://XXX.d.codeartifact.us-west-2.amazonaws.com/pypi/XXX/simple/app/0.0.1/app-0.0.1.tar.gz#sha256=hash>:
        Expected sha256 hash
             Got        different hash

The expected hash is the one I see on CodeArtifact. My guess is that the "Got" one is from an earlier version that is cached - how can I do something like pip's

--no-cache-dir

to get around this?

So ... you're mutating app 0.0.1 out in the CodeArtifact such that its hash changes from time to time?

no - I uploaded a version, tried to download it, realized there was a problem, deleted/reuploaded (v0.0.1), tried again. This should be the only time I mess with this same version, everything from now on should be "correct"

Delete / re-upload is another name for mutation! SO that will never work with a lock file. You need to re-generate the lock.

gotcha, thanks!

Ok, but that only works because - presumably - you are the sole producer and consumer. If you did that for a project that had 18 dependents out in the wild, bad news for them.

yes, this is my own toy for now!