Missing hash for setuptools?

[Tethik]

Not sure where this issue belongs, but maybe someone here has a solution.

I have a serverless project using pipenv. One of the requirements (jira) includes setuptools as a dependency. When trying to run serverless deploy with this plugin I get the following error:

In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    setuptools>=20.10.1 from https://pypi.python.org/packages/32/28/16fffbead19dc705f9546134ca81090d6c266aff6173fb092bb6d8dfd76a/setuptools-36.5.0-py2.py3-none-any.whl#md5=14b28ae24ea931a752f70acaafcb1b9f (from jira==1.0.10->-r .serverless/requirements.txt (line 2))

Pipenv generates a requirements.txt with hashes, however it seems that the hash for setuptools is missing or not working. The following command does not work.

pip install -t .serverless/requirements -r .serverless/requirements.txt

However the following works (setuptools is already installed in a fresh virtualenv).

pip install -r .serverless/requirements.txt

So my guess is that the issue is either with pipenv (generating a faulty requirements.txt), pip or jira.

This is what my generated requirements.txt looks like:

lazy-object-proxy==1.3.1 --hash=sha256:209615b0fe4624d79e50220ce3310ca1a9445fd8e6d3572a896e7f9146bbf019  --hash=sha256:1b668120716eb7ee21d8a38815e5eb3bb8211117d9a90b0f8e21722c0758cc39  --hash=sha256:cb924aa3e4a3fb644d0c463cad5bc2572649a6a3f68a7f8e4fbe44aaa6d77e4c  --hash=sha256:2c1b21b44ac9beb0fc848d3993924147ba45c4ebc24be19825e57aabbe74a99e  --hash=sha256:320ffd3de9699d3892048baee45ebfbbf9388a7d65d832d7e580243ade426d2b  --hash=sha256:2df72ab12046a3496a92476020a1a0abf78b2a7db9ff4dc2036b8dd980203ae6  --hash=sha256:27ea6fd1c02dcc78172a82fc37fcc0992a94e4cecf53cb6d73f11749825bd98b  --hash=sha256:e5b9e8f6bda48460b7b143c3821b21b452cb3a835e6bbd5dd33aa0c8d3f5137d  --hash=sha256:7661d401d60d8bf15bb5da39e4dd72f5d764c5aff5a86ef52a042506e3e970ff  --hash=sha256:61a6cf00dcb1a7f0c773ed4acc509cb636af2d6337a08f362413c76b2b47a8dd  --hash=sha256:bd6292f565ca46dee4e737ebcc20742e3b5be2b01556dafe169f6c65d088875f  --hash=sha256:933947e8b4fbe617a51528b09851685138b49d511af0b6c0da2539115d6d4514  --hash=sha256:d0fc7a286feac9077ec52a927fc9fe8fe2fabab95426722be4c953c9a8bede92  --hash=sha256:7f3a2d740291f7f2c111d86a1c4851b70fb000a6c8883a59660d95ad57b9df35  --hash=sha256:5276db7ff62bb7b52f77f1f51ed58850e315154249aceb42e7f4c611f0f847ff  --hash=sha256:94223d7f060301b3a8c09c9b3bc3294b56b2188e7d8179c762a1cda72c979252  --hash=sha256:6ae6c4cb59f199d8827c5a07546b2ab7e85d262acaccaacd49b62f53f7c456f7  --hash=sha256:f460d1ceb0e4a5dcb2a652db0904224f367c9b3c1470d5a7683c0480e582468b  --hash=sha256:e81ebf6c5ee9684be8f2c87563880f93eedd56dd2b6146d8a725b50b7e5adb0f  --hash=sha256:81304b7d8e9c824d058087dcb89144842c8e0dea6d281c031f59f0acf66963d4  --hash=sha256:ddc34786490a6e4ec0a855d401034cbd1242ef186c20d79d2166d6a4bd449577  --hash=sha256:7bd527f36a605c914efca5d3d014170b2cb184723e423d26b1fb2fd9108e264d  --hash=sha256:ab3ca49afcb47058393b0122428358d2fbe0408cf99f1b58b295cfeb4ed39109  --hash=sha256:7cb54db3535c8686ea12e9535eb087d32421184eacc6939ef15ef50f83a5e7e2  --hash=sha256:0ce34342b419bd8f018e6666bfef729aec3edf62345a53b537a4dcc115746a33  --hash=sha256:e34b155e36fa9da7e1b7c738ed7767fc9491a62ec6af70fe9da4a057759edc2d  --hash=sha256:50e3b9a464d5d08cc5227413db0d1c4707b6172e4d4d915c1c70e4de0bbff1f5  --hash=sha256:27bf62cb2b1a2068d443ff7097ee33393f8483b570b475db8ebf7e1cba64f088  --hash=sha256:eb91be369f945f10d3a49f5f9be8b3d0b93a4c2be8f8a5b83b0571b8123e0a7a
jira==1.0.10 --hash=sha256:3886af9c6211fa24f518e3b10ed32779838b4f3ae0b2ac1c0ab869f8f086d57a  --hash=sha256:409a0a94800f05a1e8e078540eb5610e243586bd5ee9bc8cae8899cbbd061898
py==1.4.34 --hash=sha256:2ccb79b01769d99115aa600d7eed99f524bf752bba8f041dc1c184853514655a  --hash=sha256:0f2d585d22050e90c7d293b6451c83db097df77871974d90efd5a30dc12fcde3
ordereddict==1.1; python_version < '3.1' --hash=sha256:1c35b4ac206cef2d24816c89f89cf289dd3d38cf7c449bb3fab7bf6d43f01b1f
requests-oauthlib==0.8.0 --hash=sha256:50a8ae2ce8273e384895972b56193c7409601a66d4975774c60c2aed869639ca  --hash=sha256:883ac416757eada6d3d07054ec7092ac21c7f35cb1d2cf82faf205637081f468
argparse==1.4.0; python_version < '3.2' --hash=sha256:c31647edb69fd3d465a847ea3157d37bed1f95f19760b11a47aa91c04b666314  --hash=sha256:62b089a55be1d8949cd2bc7e0df0bddb9e028faefc8c32038cc84862aefdd6e4
urllib3==1.22 --hash=sha256:06330f386d6e4b195fbfc736b297f58c5a892e4440e54d294d7004e3a9bbea1b  --hash=sha256:cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f
pylint==1.7.4 --hash=sha256:948679535a28afc54afb9210dabc6973305409042ece8e5768ca1409910c1ed8  --hash=sha256:1f65b3815c3bf7524b845711d54c4242e4057dd93826586620239ecdfe591fb1
backports.functools-lru-cache==1.4; python_version == '2.7' --hash=sha256:4ba998e881f285c1d1b73f5b6e3766539b4e162320f9589334400c5ddc35198c  --hash=sha256:31f235852f88edc1558d428d890663c49eb4514ffec9f3650e7f3c9e4a12e36f
singledispatch==3.4.0.3; python_version < '3.4' --hash=sha256:833b46966687b3de7f438c761ac475213e53b306740f1abfaa86e1d1aae56aa8  --hash=sha256:5b06af87df13818d14f08a028e42f566640aef80805c3b50c5056b086e3c2b9c
coverage==4.4.1 --hash=sha256:c1456f66c536010cf9e4633a8853a9153e8fd588393695295afd4d0fc16c1d74  --hash=sha256:97a7ec51cdde3a386e390b159b20f247ccb478084d925c75f1faa3d26c01335e  --hash=sha256:83e955b975666b5a07d217135e7797857ce844eb340a99e46cc25525120417c4  --hash=sha256:483ed14080c5301048128bb027b77978c632dd9e92e3ecb09b7e28f5b92abfcf  --hash=sha256:ef574ab9640bcfa2f3c671831faf03f65788945fdf8efa4d4a1fffc034838e2a  --hash=sha256:c5a205b4da3c624f5119dc4d84240789b5906bb8468902ec22dcc4aad8aa4638  --hash=sha256:5dea90ed140e7fa9bc00463313f9bc4a6e6aff297b4969615e7a688615c4c4d2  --hash=sha256:f9e83b39d29c2815a38e4118d776b482d4082b5bf9c9147fbc99a3f83abe480a  --hash=sha256:700040c354f0230287906b1276635552a3def4b646e0145555bc9e2e5da9e365  --hash=sha256:7f1eacae700c66c3d7362a433b228599c9d94a5a3a52613dddd9474e04deb6bc  --hash=sha256:13ef9f799c8fb45c446a239df68034de3a6f3de274881b088bebd7f5661f79f8  --hash=sha256:dfb011587e2b7299112f08a2a60d2601706aac9abde37aa1177ea825adaed923  --hash=sha256:381be5d31d3f0d912334cf2c159bc7bea6bfe6b0e3df6061a3bf2bf88359b1f6  --hash=sha256:83a477ac4f55a6ef59552683a0544d47b68a85ce6a80fd0ca6b3dc767f6495fb  --hash=sha256:dfd35f1979da31bcabbe27bcf78d4284d69870731874af629082590023a77336  --hash=sha256:9681efc2d310cfc53863cc6f63e88ebe7a48124550fa822147996cb09390b6ab  --hash=sha256:53770b20ac5b4a12e99229d4bae57af0945be87cc257fce6c6c7571a39f0c5d4  --hash=sha256:8801880d32f11b6df11c32a961e186774b4634ae39d7c43235f5a24368a85f07  --hash=sha256:16db2c69a1acbcb3c13211e9f954e22b22a729909d81f983b6b9badacc466eda  --hash=sha256:ef43a06a960b46c73c018704051e023ee6082030f145841ffafc8728039d5a88  --hash=sha256:c3e2736664a6074fc9bd54fb643f5af0fc60bfedb2963b3d3f98c7450335e34c  --hash=sha256:17709e22e4c9f5412ba90f446fb13b245cc20bf4a60377021bbff6c0f1f63e7c  --hash=sha256:a2f7106d1167825c4115794c2ba57cc3b15feb6183db5328fa66f94c12902d8b  --hash=sha256:2a08e978f402696c6956eee9d1b7e95d3ad042959b71bafe1f3e4557cbd6e0ac  --hash=sha256:57f510bb16efaec0b6f371b64a8000c62e7e3b3e48e8b0a5745ade078d849814  --hash=sha256:0f1883eab9c19aa243f51308751b8a2a547b9b817b721cc0ecf3efb99fafbea7  --hash=sha256:e00fe141e22ce6e9395aa24d862039eb180c6b7e89df0bbaf9765e9aebe560a9  --hash=sha256:ec596e4401553caa6dd2e3349ce47f9ef82c1f1bcba5d8ac3342724f0df8d6ff  --hash=sha256:c820a533a943ebc860acc0ce6a00dd36e0fdf2c6f619ff8225755169428c5fa2  --hash=sha256:b7f7283eb7badd2b8a9c6a9d6eeca200a0a24db6be79baee2c11398f978edcaa  --hash=sha256:a5ed27ad3e8420b2d6b625dcbd3e59488c14ccc06030167bcf14ffb0f4189b77  --hash=sha256:d7b70b7b4eb14d0753d33253fe4f121ca99102612e2719f0993607deb30c6f33  --hash=sha256:4047dc83773869701bde934fb3c4792648eda7c0e008a77a0aec64157d246801  --hash=sha256:7a9c44400ee0f3b4546066e0710e1250fd75831adc02ab99dda176ad8726f424  --hash=sha256:0f649e68db74b1b5b8ca4161d08eb2b8fa8ae11af1ebfb80e80e112eb0ef5300  --hash=sha256:52964fae0fafef8bd283ad8e9a9665205a9fdf912535434defc0ec3def1da26b  --hash=sha256:36aa6c8db83bc27346ddcd8c2a60846a7178ecd702672689d3ea1828eb1a4d11  --hash=sha256:9824e15b387d331c0fc0fef905a539ab69784368a1d6ac3db864b4182e520948  --hash=sha256:4a678e1b9619a29c51301af61ab84122e2f8cc7a0a6b40854b808ac6be604300  --hash=sha256:8bb7c8dca54109b61013bc4114d96effbf10dea136722c586bce3a5d9fc4e730  --hash=sha256:1a41d621aa9b6ab6457b557a754d50aaff0813fad3453434de075496fca8a183  --hash=sha256:0fa423599fc3d9e18177f913552cdb34a8d9ad33efcf52a98c9d4b644edb42c5  --hash=sha256:e61a4ba0b2686040cb4828297c7e37bcaf3a1a1c0bc0dbe46cc789dde51a80fa  --hash=sha256:ce9ef0fc99d11d418662e36fd8de6d71b19ec87c2eab961a117cc9d087576e72
certifi==2017.7.27.1 --hash=sha256:54a07c09c586b0e4c619f02a5e94e36619da8e2b053e20f594348c0611803704  --hash=sha256:40523d2efb60523e113b44602298f0960e900388cf3bb6043f645cf57ea9e3f5
six==1.11.0 --hash=sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb  --hash=sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9
configparser==3.5.0; python_version == '2.7' --hash=sha256:5308b47021bc2340965c371f0f058cc6971a04502638d4244225c49d80db273a
astroid==1.5.3 --hash=sha256:39a21dd2b5d81a6731dc0ac2884fa419532dffd465cdd43ea6c168d36b76efb3  --hash=sha256:492c2a2044adbf6a84a671b7522e9295ad2f6a7c781b899014308db25312dd35
oauthlib==2.0.4 --hash=sha256:514e293cb356dd53d596692207d48d9231b997995c9a4167eefa868583d74d13
defusedxml==0.5.0 --hash=sha256:702a91ade2968a82beb0db1e0766a6a273f33d4616a6ce8cde475d8e09853b20  --hash=sha256:24d7f2f94f7f3cb6061acb215685e5125fbcdc40a857eff9de22518820b0a4f4
wrapt==1.10.11 --hash=sha256:d4d560d479f2c21e1b5443bbd15fe7ec4b37fe7e53d335d3b9b0a7b1226fe3c6
pbr==3.1.1 --hash=sha256:60c25b7dfd054ef9bb0ae327af949dd4676aa09ac3a9471cdc871d8a9213f9ac  --hash=sha256:05f61c71aaefc02d8e37c0a3eeb9815ff526ea28b3b76324769e6158d7f95be1
enum34==1.1.6; python_version < '3.4' --hash=sha256:6bd0f6ad48ec2aa117d3d141940d484deccda84d4fcd884f5c3d93c23ecd8c79  --hash=sha256:644837f692e5f550741432dd3f223bbb9852018674981b1664e5dc339387588a  --hash=sha256:8ad8c4783bf61ded74527bffb48ed9b54166685e4230386a9ed9b1279e2df5b1  --hash=sha256:2d81cbbe0e73112bdfe6ef8576f2238f2ba27dd0d55752a776c41d38b7da2850
pytest-coverage==0.0 --hash=sha256:dedd084c5e74d8e669355325916dc011539b190355021b037242514dee546368  --hash=sha256:db6af2cbd7e458c7c9fd2b4207cee75258243c8a81cad31a7ee8cfad5be93c05
pytest-cov==2.5.1 --hash=sha256:890fe5565400902b0c78b5357004aab1c814115894f4f21370e2433256a3eeec  --hash=sha256:03aa752cf11db41d281ea1d807d954c4eda35cfa1b21d6971966cc041bbf6e2d
mccabe==0.6.1 --hash=sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42  --hash=sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f
pytest==3.2.3 --hash=sha256:81a25f36a97da3313e1125fce9e7bbbba565bc7fec3c5beb14c262ddab238ac1  --hash=sha256:27fa6617efc2869d3e969a3e75ec060375bfb28831ade8b5cdd68da3a741dc3c
isort==4.2.15 --hash=sha256:cd5d3fc2c16006b567a17193edf4ed9830d9454cbeb5a42ac80b36ea00c23db4  --hash=sha256:79f46172d3a4e2e53e7016e663cc7a8b538bec525c36675fcfd2767df30b3983
chardet==3.0.4 --hash=sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691  --hash=sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae
requests==2.18.4 --hash=sha256:6a1b267aa90cac58ac3a765d067950e7dbbf75b1da07e895d1f594193a40a38b  --hash=sha256:9c443e7324ba5b85070c4a818ade28bfabedf16ea10206da1132edaa6dda237e
pytest-cover==3.0.0 --hash=sha256:578249955eb3b5f3991209df6e532bb770b647743b7392d3d97698dc02f39ebb  --hash=sha256:5bdb6c1cc3dd75583bb7bc2c57f5e1034a1bfcb79d27c71aceb0b16af981dbf4
idna==2.6 --hash=sha256:8c7309c718f94b3a625cb648ace320157ad16ff131ae0af362c9f21b80ef6ec4  --hash=sha256:2c6a5de3089009e3da7c5dde64a141dbc8551d5b7f6cf4ed7c2568d0cc520a8f
requests-toolbelt==0.8.0 --hash=sha256:42c9c170abc2cacb78b8ab23ac957945c7716249206f90874651971a4acff237  --hash=sha256:f6a531936c6fa4c6cfce1b9c10d5c4f498d16528d2a54a22ca00011205a187b5

[Tethik]

As a workaround I use the option I added in #86 to stop this plugin from using my pipenv and manually freeze the requirements using pip freeze > requirements.txt when I need to deploy.

[Tethik]

Another project today and the same problem with a package requiring setuptools.

In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    setuptools from https://pypi.python.org/packages/32/28/16fffbead19dc705f9546134ca81090d6c266aff6173fb092bb6d8dfd76a/setuptools-36.5.0-py2.py3-none-any.whl#md5=14b28ae24ea931a752f70acaafcb1b9f (from pytest==3.2.3->-r .serverless/requirements.txt 

[jeff-savin]

I'm having the exact same issue with a very similar scenario as you. Looks like in my case its pytest that requires setuptools.

[Tethik]

I checked this again hoping that the new pipenv that fixed #87 also fixed this. Unfortunately still an issue :(
Pipenv version 8.3.2
Serverless version 1.24.1

[dschep]

Bummer. I didn't ask before, are you using the dockerizePip option? my only guess is that if so, it's a discrepancy between the environment pipenv lock -r is being run in (your mac) vs the pip install (the amazon linux docker container)

[Tethik]

Nope, I'm not using dockerizePip. Tried it but got the same error with some extras:

The directory '/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    setuptools>=20.10.1 from https://pypi.python.org/packages/bd/4c/b06ab3abfc8bc93b87b70f4cab22352c3c72deba7b71390d14bfffa97c85/setuptools-36.6.0-py2.py3-none-any.whl#md5=df531523e300bc3e6b9ce4451681912c (from jira==1.0.10->-r .serverless/requirements.txt (line 9))

I think the problem is with either pip or pipenv. pipenv should probably be giving the hash for setuptools too, but it is not for some reason.

[dschep]

Hmm. we might want to file an issue against pipenv then.

[Tethik]

Yeah, I hope to get some time to dig into the issue from the pipenv side of things soon*

[Arttii]

I was wondering, if anyone had any time to look at this? I am also having this issue in some of my projects.

[ghost]

Confirm getting similar issue with the following generated requirements.txt

boto==2.47.0 --hash=sha256:daa8cd950d546b848c907676aa3a57bbbc1486700646d13be9a01485794821ad  --hash=sha256:684ccaa1c030acd8ec6a48664d0555a6042bdc325b15ce52645c085bc36c0a69
cached-property==1.3.1 --hash=sha256:fe045921fe75c873064028e9fbbe06121114ccf613227f4ba284fa7d4c9ff27f  --hash=sha256:6562f0be134957547421dda11640e8cadfa7c23238fc4e0821ab69efdb1095f3
certifi==2017.11.5 --hash=sha256:244be0d93b71e93fc0a0a479862051414d0e00e16435707e5bf5000f92e04694  --hash=sha256:5ec74291ca1136b40f0379e1128ff80e866597e4e2c1e755739a913bbc3613c0
chardet==3.0.4 --hash=sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691  --hash=sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae
dnspython==1.15.0 --hash=sha256:861e6e58faa730f9845aaaa9c6c832851fbf89382ac52915a51f89c71accdd31  --hash=sha256:40f563e1f7a7b80dc5a4e76ad75c23da53d62f1e15e6e517293b04e1f84ead7c
docker==2.7.0 --hash=sha256:c1d4e37b1ea03b2b6efdd0379640f6ea372fefe56efa65d4d17c34c6b9d54558  --hash=sha256:144248308e8ea31c4863c6d74e1b55daf97cc190b61d0fe7b7313ab920d6a76c
docker-compose==1.18.0 --hash=sha256:4abb290b3ebb91314942532f1333d7f729c66254bde4b0756718291b7df42a7a  --hash=sha256:2930cbfe2685018fbb75377600ab6288861d9955717b3f14212f63950351d379
docker-pycreds==0.2.1 --hash=sha256:58d2688f92de5d6f1a6ac4fe25da461232f0e0a4c1212b93b256b046b2d714a9  --hash=sha256:93833a2cf280b7d8abbe1b8121530413250c6cd4ffed2c1cf085f335262f7348
dockerpty==0.4.1 --hash=sha256:69a9d69d573a0daa31bcd1c0774eeed5c15c295fe719c61aca550ed1393156ce
docopt==0.6.2 --hash=sha256:49b3a825280bd66b3aa83585ef59c4a8c82f2c8a522dbe754a8bc8d08c85c491
flake8==3.5.0 --hash=sha256:c7841163e2b576d435799169b78703ad6ac1bbb0f199994fc05f700b2a90ea37  --hash=sha256:7253265f7abd8b313e3892944044a365e3f4ac3fcdcfb4298f55ee9ddf188ba0
hvac==0.2.17 --hash=sha256:9e277a7864927f53fb1aca4fd33559390da43b21b6dc0c99058cf05ac8d5335f  --hash=sha256:2a4f7ea68d55caa90eae6d417765efb7fa31337e095cd69bcf7af0b3f7620270
idna==2.6 --hash=sha256:8c7309c718f94b3a625cb648ace320157ad16ff131ae0af362c9f21b80ef6ec4  --hash=sha256:2c6a5de3089009e3da7c5dde64a141dbc8551d5b7f6cf4ed7c2568d0cc520a8f
jinja2==2.9.6 --hash=sha256:2231bace0dfd8d2bf1e5d7e41239c06c9e0ded46e70cc1094a0aa64b0afeb054  --hash=sha256:ddaa01a212cd6d641401cb01b605f4a4d9f37bfc93043d7f760ec70fb99ff9ff
jsonschema==2.6.0 --hash=sha256:000e68abd33c972a5248544925a0cae7d1125f9bf6c58280d37546b946769a08  --hash=sha256:6ff5f3180870836cae40f06fa10419f557208175f13ad7bc26caa77beb1f6e02
markupsafe==1.0 --hash=sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665
mccabe==0.6.1 --hash=sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42  --hash=sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f
netaddr==0.7.19 --hash=sha256:56b3558bd71f3f6999e4c52e349f38660e54a7a8a9943335f73dfc96883e08ca  --hash=sha256:38aeec7cdd035081d3a4c306394b19d677623bf76fa0913f6695127c7753aefd
pycodestyle==2.3.1 --hash=sha256:6c4245ade1edfad79c3446fadfc96b0de2759662dc29d07d80a6f27ad1ca6ba9  --hash=sha256:682256a5b318149ca0d2a9185d365d8864a768a28db66a84a2ea946bcc426766
pyflakes==1.6.0 --hash=sha256:08bd6a50edf8cffa9fa09a463063c425ecaaf10d1eb0335a7e8b1401aef89e6f  --hash=sha256:8d616a382f243dbf19b54743f280b80198be0bca3a5396f1d2e1fca6223e8805
python-consul==0.7.0 --hash=sha256:f5725067586f0119a4eb50bbc8daca75c86791d1c002b97fc173f2347d2dfaa1
pyyaml==3.12 --hash=sha256:3262c96a1ca437e7e4763e2843746588a965426550f3797a79fca9c6199c431f  --hash=sha256:16b20e970597e051997d90dc2cddc713a2876c47e3d92d59ee198700c5427736  --hash=sha256:e863072cdf4c72eebf179342c94e6989c67185842d9997960b3e69290b2fa269  --hash=sha256:bc6bced57f826ca7cb5125a10b23fd0f2fff3b7c4701d64c439a300ce665fff8  --hash=sha256:c01b880ec30b5a6e6aa67b09a2fe3fb30473008c85cd6a67359a1b15ed6d83a4  --hash=sha256:827dc04b8fa7d07c44de11fabbc888e627fa8293b695e0f99cb544fdfa1bf0d1  --hash=sha256:592766c6303207a20efc445587778322d7f73b161bd994f227adaa341ba212ab  --hash=sha256:5f84523c076ad14ff5e6c037fe1c89a7f73a3e04cf0377cb4d017014976433f3  --hash=sha256:0c507b7f74b3d2dd4d1322ec8a94794927305ab4cebbe89cc47fe5e81541e6e8  --hash=sha256:b4c423ab23291d3945ac61346feeb9a0dc4184999ede5e7c43e1ffb975130ae6  --hash=sha256:ca233c64c6e40eaa6c66ef97058cdc80e8d0157a443655baa1b2966e812807ca  --hash=sha256:4474f8ea030b5127225b8894d626bb66c01cda098d47a2b0d3429b6700af9fd8  --hash=sha256:326420cbb492172dec84b0f65c80942de6cedb5233c413dd824483989c000608  --hash=sha256:5ac82e411044fb129bae5cfbeb3ba626acb2af31a8d17d175004b70862a741a7
requests==2.18.4 --hash=sha256:6a1b267aa90cac58ac3a765d067950e7dbbf75b1da07e895d1f594193a40a38b  --hash=sha256:9c443e7324ba5b85070c4a818ade28bfabedf16ea10206da1132edaa6dda237e
six==1.11.0 --hash=sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb  --hash=sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9
texttable==0.9.1 --hash=sha256:119041773ff03596b56392532f9315cb3a3116e404fd6f36e76a7dc088d95c79
urllib3==1.22 --hash=sha256:06330f386d6e4b195fbfc736b297f58c5a892e4440e54d294d7004e3a9bbea1b  --hash=sha256:cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f
websocket-client==0.46.0 --hash=sha256:7a40abbd2534c91e667ca6507ccbb30d96816361840ef424dff49b24956fcdae  --hash=sha256:933f6bbf08b381f2adbca9e93d7e7958ba212b42c73acb310b18f0fbe74f3738

and after putting this to requirements.txt and using pip install -r I get the following error

Collecting websocket-client==0.46.0 (from -r /requirements.txt (line 27))
  Downloading websocket_client-0.46.0-py2.py3-none-any.whl (200kB)
Collecting backports.ssl-match-hostname>=3.5; python_version < "3.5" (from docker==2.7.0->-r /requirements.txt (line 6))
Collecting ipaddress>=1.0.16; python_version < "3.3" (from docker==2.7.0->-r /requirements.txt (line 6))
Collecting enum34<2,>=1.0.4; python_version < "3.4" (from docker-compose==1.18.0->-r /requirements.txt (line 7))
Collecting configparser; python_version < "3.2" (from flake8==3.5.0->-r /requirements.txt (line 11))
Collecting functools32; python_version == "2.7" (from jsonschema==2.6.0->-r /requirements.txt (line 15))
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    backports.ssl-match-hostname>=3.5; python_version < "3.5" from https://pypi.python.org/packages/76/21/2dc61178a2038a5cb35d14b61467c6ac632791ed05131dda72c20e7b9e23/backports.ssl_match_hostname-3.5.0.1.tar.gz#md5=c03fc5e2c7b3da46b81acf5cbacfe1e6 (from docker==2.7.0->-r /requirements.txt (line 6))
    ipaddress>=1.0.16; python_version < "3.3" from https://pypi.python.org/packages/f0/ba/860a4a3e283456d6b7e2ab39ce5cf11a3490ee1a363652ac50abf9f0f5df/ipaddress-1.0.19.tar.gz#md5=d0687efaf93a32476d81e90ba0609c57 (from docker==2.7.0->-r /requirements.txt (line 6))
    enum34<2,>=1.0.4; python_version < "3.4" from https://pypi.python.org/packages/c5/db/e56e6b4bbac7c4a06de1c50de6fe1ef3810018ae11732a50f15f62c7d050/enum34-1.1.6-py2-none-any.whl#md5=68f6982cc07dde78f4b500db829860bd (from docker-compose==1.18.0->-r /requirements.txt (line 7))
    configparser; python_version < "3.2" from https://pypi.python.org/packages/7c/69/c2ce7e91c89dc073eb1aa74c0621c3eefbffe8216b3f9af9d3885265c01c/configparser-3.5.0.tar.gz#md5=cfdd915a5b7a6c09917a64a573140538 (from flake8==3.5.0->-r /requirements.txt (line 11))
    functools32; python_version == "2.7" from https://pypi.python.org/packages/5e/1a/0aa2c8195a204a9f51284018562dea77e25511f02fe924fac202fc012172/functools32-3.2.3-2.zip#md5=d55232eb132ec779e6893c902a0bc5ad (from jsonschema==2.6.0->-r /requirements.txt (line 15))

seems like transitive dependencies are not present in Pipfile.lock and therefore are not having exact version as --require-hashes mode demands

however pipenv graph show all dependencies (even transitive) with exact versions installed

[dschep]

@Tethik or @mlosev could one of you share your Pipfile so that I could recreate this?

[Tethik]

This is mine:

[[source]]

url = "https://pypi.python.org/simple"
verify_ssl = true
name = "pypi"


[dev-packages]

pytest = "*"
pylint = "*"
pytest-coverage = "*"
"autopep8" = "*"
"boto3" = "*"


[packages]

jira = "*"
requests = "*"
raven-python-lambda = "*"


[requires]

python_version = "3.6"

[ghost]

My Pipfile

[[source]]

url = "https://pypi.python.org/simple"
verify_ssl = true
name = "pypi"


[packages]

"flake8" = "==3.5.0"
PyYAML = "==3.12"
"Jinja2" = "==2.9.6"
python-consul = "==0.7.0"
docker-compose = "==1.18.0"
hvac = "==0.2.17"
boto = "==2.47.0"
dnspython = "==1.15.0"
netaddr = "==0.7.19"


[dev-packages]



[requires]

python_version = "2.7"

I found related issue in pipenv project but it was closed

[dschep]

Thanks guys! and thanks for finding that issue in pipenv @mlosev.

[dfee]

Unsure how closely it's related, but a recent reference to that issue was labeled as a bug a few days ago: pypa/pipenv#1380

Anyway, it looks like I'm going to need to go the route of disabling pipenv.

[dschep]

Thanks for pointing that out. I'll keep an eye on it.

[awhillas]

@dfee that issue was closed 3days ago and is in pipenv master

[xer0x]

For anyone else hitting this, if your using an older pipenv, I had to run pip3 install pipenv --upgrade to get the version that fixes this.

[bsamuel-ui]

Issue was fixed upstream.