Menu
I am having issues with Pipenv. I run pipenv install --dev in order to install some dependencies from a Pipfile within my project. Upon running this command, Pipenv generates an MD5 hash for a certain dependency. The error is saying that MD5 is not supported yet still generates it. I have not set any configurations on my local machine or in any configuration file. I cannot seem to pinpoint this issue. Any help is greatly appreciated.
[pipenv.exceptions.InstallError]: pip: error: Allowed hash algorithms for --hash are sha256, sha384, sha512.
Pipfile.lock
{
"_meta": {
"hash": {
"sha256": "7e0f1d75f7df19f9500f55bd2f1da163cb4a8c7f485aab61c521d70e3865a507"
},
"pipfile-spec": 6,
"requires": {
"python_version": "3.6"
},
"sources": [
{
"name": "pypi",
"url": "https://pypi.org/simple",
"verify_ssl": true
}
]
},
"default": {
"certain-dependency": {
"hashes": [
"md5:8faf2e4ff85c34b5d0c000c017f81f52",
"md5:1508a7f05b17d292f7890b8c58a451cf",
],
"version": "==11.10.20"
}
}
}
249
When you create a Pipenv environment either for a new or an existing project, the Pipfile is generated automatically. The file is added to the current project, you can see it in the Project tool window.
☤ Pipfile. By default, the Pipfile. lock will be generated with the sha256 hashes of each downloaded package. This will allow pip to guarantee you're installing what you intend to when on a compromised network, or downloading dependencies from an untrusted PyPI endpoint.
When two developers are working on a projet with different operating systems, the Pipfile. lock is different (especially the part inside host-environment-markers ). For Composer, most people recommend to commit composer.
Try clearing your pipenv cache:
Make sure your dependencies actually do resolve. If you’re confident they are, you may need to clear your resolver cache. Run the following command:
pipenv lock --clearand try again.
If this does not work, try manually deleting the whole cache directory. It is usually one of the following locations:
~/Library/Caches/pipenv(macOS)%LOCALAPPDATA%\pipenv\pipenv\Cache(Windows)~/.cache/pipenv(other operating systems)
While the current release of pipenv only accepts sha256 hashes, it loads package URLs from a cache and writes those cached URLs' hashes to Pipfile.lock. If those cached hashes are md5 hashes from previously-installed packages, pipenv uses those values as-is without verifying that they are sha256/FAVORITE_HASH.
Clearing the cache and re-locking will cause pipenv to cache miss and re-fetch package URLs which end in sha256 hashes, and write them to Pipfile.lock as you'd hope, and prevent you from running into the issue again.
92
I ran into the same error with the most recent pipenv release (2020.11.4), it seems that a fix is already set for the next release (see https://github.com/pypa/pipenv/pull/4519). But in the meantime what worked for me is just to rollback to the older version of pipenv (2020.8.13).
4
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
