Add --update-all option and update all dependencies with their hashes?
#63
Comments
|
What would be totally neat! When you do So you could basically do something like this: if not args.packages and args.update_all:
args.packages = get_all_current_package_names(args.file or 'requirements.txt')(I don't know if mutating the Argparse object is a good idea, but the idea is there). I look forward to a pull request. If you struggle to test it or how to format anything, let me know and we can complete it together. |
|
Another option would be to make it interactive. E.g. How does yarn do interactive upgrades? |
|
Thanks @peterbe, I'll reach out you in the next week. |
|
Any luck with this one? |
|
hashin doesn't have a dry-run functionality because it's never really been necessary. However, for a functionality like this it certainly would be useful. |
|
hey @peterbe, I was totally busy last week and couldn't look into this. However, I'm free tomorrow and this issue is on the top of the list. |
* --update-all Part of #63 * py 2.7 fix * update changelog
|
@peterbe YUP! I'll ping you in 10-12h with the results of QA. |
|
@peterbe hey, I'm not sure if that's a bug, but I've noticed missing hashes in some of dependencies. For easier debug you can take a look at these files: I hope this bug is reproducible. Feel free to ask if you need anything :-) Thanks again! |
|
@jotes Thanks! It's not really a bug in the code. It's just a confusion of expectations. You have a requirements file that did not already have hashes. Generally, this is not something $ hashin -r requirements-before-hashin.txt alembicI think the output of that would become something like this: https://gist.github.com/peterbe/bb003c7bfbabfeaa682027234176b2fe Then, if you try to use that file with $ pip install -r requirements-before-hashin.txt
...
Hashes are required in --require-hashes mode, but they are missing from some requirements. Here is a list of those requirements along with the hashes their downloaded archives actually had. Add lines like these to your requirements files to prevent tampering. (If you did not enable --require-hashes manually, note that it turns on automatically when any package has a hash.)
amqp==2.2.2 --hash=sha256:4e28d3ea61a64ae61830000c909662cb053642efddbe96503db0e7783a6ee85b
anyjson==0.3.3 --hash=sha256:37812d863c9ad3e35c0734c42e0bf0320ce8c3bed82cd20ad54cb34d158157ba
behave==1.2.5
... |
|
In short, I don't think that's a bug in the new feature of the context of this issue. However, it's an interesting thing that will/can happen. How should Perhaps it could analyze the requirements file and do something like: $ hashin -r my-requirements.txt Django celery requests
Traceback (most recent call last):
...
Exception: Requirements file does not have hashes for all packages. |
|
What do you think? |
|
@peterbe You're right, thanks for the clarification :-) I think that an explicit exception is totally okay. |
Hey @peterbe!
I work with a lot of legacy projects that don't add hashes to their dependencies and I'd like to improve their security.
What do you think about an option which would just scan through all entries and add hashes to them?
Currently, I'm working around this with shell scripts but maybe it's a good idea to include it here.
I can even implement it if you think it will be useful.
Thanks in advance,
hashinis awesome!The text was updated successfully, but these errors were encountered: