Merge pull request #11938 from sbidoul/fix-direct-url-hash-trusted-sbi

Don't trust link hash in direct URL dependencies
author: Stéphane Bidoul <stephane.bidoul@gmail.com> 2023-04-10 16:43:51 +0200
committer: GitHub <noreply@github.com> 2023-04-10 16:43:51 +0200
commit: 5d4a974b60b37acdaeaea457196366678b0624a3 (patch)
tree: 5bf0f217a5882b710f80757a6a9b8eba3fe624dd /news
parent: 62e932ad2889f370e47aeae010b5e2a23a194d38 (diff)
parent: 453a5a7e0738c9c0453a3a23db4ef74e9e4e41d7 (diff)
download: pip-5d4a974b60b37acdaeaea457196366678b0624a3.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/news/11938.bugfix.rst b/news/11938.bugfix.rst
new file mode 100644
index 000000000..b299f8e4f
--- /dev/null
+++ b/news/11938.bugfix.rst
@@ -0,0 +1,3 @@
+When package A depends on package B provided as a direct URL dependency including a hash
+embedded in the link, the ``--require-hashes`` option did not warn when user supplied hashes
+were missing for package B.
author	Stéphane Bidoul <stephane.bidoul@gmail.com>	2023-04-10 16:43:51 +0200
committer	GitHub <noreply@github.com>	2023-04-10 16:43:51 +0200
commit	5d4a974b60b37acdaeaea457196366678b0624a3 (patch)
tree	5bf0f217a5882b710f80757a6a9b8eba3fe624dd /news
parent	62e932ad2889f370e47aeae010b5e2a23a194d38 (diff)
parent	453a5a7e0738c9c0453a3a23db4ef74e9e4e41d7 (diff)
download	pip-5d4a974b60b37acdaeaea457196366678b0624a3.tar.gz