Fix --require-hashes trusting link hashes

When a direct URL with hash is provided as a dependency, --require-hash incorrectly considered the link hash as trusted.
author: Stéphane Bidoul <stephane.bidoul@gmail.com> 2023-04-08 18:57:37 +0200
committer: Stéphane Bidoul <stephane.bidoul@gmail.com> 2023-04-10 13:21:00 +0200
commit: f5f0302516e4adc5b8541832da803784d44b0a0f (patch)
tree: 8a361511f2b7b77e5c768e651b5f061b66489f76 /news
parent: 0ffc54dca3dd0f64eb9498a37908ae756294da7d (diff)
download: pip-f5f0302516e4adc5b8541832da803784d44b0a0f.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/news/11938.bugfix.rst b/news/11938.bugfix.rst
new file mode 100644
index 000000000..b299f8e4f
--- /dev/null
+++ b/news/11938.bugfix.rst
@@ -0,0 +1,3 @@
+When package A depends on package B provided as a direct URL dependency including a hash
+embedded in the link, the ``--require-hashes`` option did not warn when user supplied hashes
+were missing for package B.
author	Stéphane Bidoul <stephane.bidoul@gmail.com>	2023-04-08 18:57:37 +0200
committer	Stéphane Bidoul <stephane.bidoul@gmail.com>	2023-04-10 13:21:00 +0200
commit	f5f0302516e4adc5b8541832da803784d44b0a0f (patch)
tree	8a361511f2b7b77e5c768e651b5f061b66489f76 /news
parent	0ffc54dca3dd0f64eb9498a37908ae756294da7d (diff)
download	pip-f5f0302516e4adc5b8541832da803784d44b0a0f.tar.gz