Mismatching hash is ignored when dependency is direct url #18778
Description
Summary
Given the following pyproject.toml file:
[project]
name = "pylock"
version = "0.1.0"
requires-python = ">=3.10"
dependencies = [
"protobug @ https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520",
]When installing using uv pip install ., it ignores the mismatching hash of the dependency:
$ uv venv --clear
Using CPython 3.14.1
Creating virtual environment at: .venv
Activate with: source .venv/bin/activate
$ source .venv/bin/activate
$ uv --no-config --no-cache pip install .
Resolved 2 packages in 37ms
Built pylock @ file:///home/simon/source/private/pylock
Prepared 2 packages in 655ms
Installed 2 packages in 5ms
+ protobug==0.3.0 (from https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520)
+ pylock==0.1.0 (from file:///home/simon/source/private/pylock)This behavior is different from how pip behaves:
$ uv venv --clear --seed
Using CPython 3.14.1
Creating virtual environment at: .venv
Activate with: source .venv/bin/activate
$ source .venv/bin/activate
$ pip install .
Processing ./.
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Collecting protobug @ https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520 (from pylock==0.1.0)
Downloading protobug-0.3.0-py3-none-any.whl (11 kB)
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
protobug @ https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520 from https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520 (from pylock==0.1.0):
Expected sha256 ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520
Got ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c202652eIf you uv pip install the url dependency directly, you get the expected error:
$ uv venv --clear
Using CPython 3.14.1
Creating virtual environment at: .venv
Activate with: source .venv/bin/activate
$ uv pip install "protobug @ https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520"
Resolved 1 package in 40ms
× Failed to download `protobug @ https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520`
╰─▶ Hash mismatch for `protobug @ https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520`
Expected:
sha256:ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520
Computed:
sha256:ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c202652eVerbose output
$ uv --verbose --no-config --no-cache pip install .
DEBUG uv 0.11.2 (x86_64-unknown-linux-gnu)
DEBUG Disabling the uv cache due to `--no-cache`
DEBUG Marking explicit source tree for reinstall: `/home/simon/source/private/pylock`
DEBUG Searching for default Python interpreter in virtual environments
DEBUG Found `cpython-3.14.1-linux-x86_64-gnu` at `/home/simon/source/private/pylock/.venv/bin/python3` (active virtual environment)
DEBUG Using Python 3.14.1 environment at: .venv
DEBUG Using request connect timeout of 10s and read timeout of 30s
DEBUG Found PEP 621 metadata for /home/simon/source/private/pylock in `pyproject.toml` (pylock)
DEBUG Found static `pyproject.toml` for: pylock @ file:///home/simon/source/private/pylock
DEBUG No workspace root found, using project root
DEBUG No cache entry for: https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520
DEBUG Sending fresh HEAD request for: https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520
DEBUG Solving with installed Python version: 3.14.1
DEBUG Solving with target Python version: >=3.14.1
DEBUG Adding direct dependency: pylock*
DEBUG Searching for a compatible version of pylock @ file:///home/simon/source/private/pylock (*)
DEBUG Adding transitive dependency for pylock==0.1.0: protobug*
DEBUG Searching for a compatible version of protobug @ https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520 (*)
DEBUG Tried 2 versions: protobug 1, pylock 1
DEBUG marker environment resolution took 0.000s
Resolved 2 packages in 41ms
DEBUG Must revalidate requirement: pylock
DEBUG Identified uncached distribution: protobug @ https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520
DEBUG Computed cache info: Timestamp(SystemTime { tv_sec: 1774964323, tv_nsec: 362695009 }), None, None, {}, {"src": None}. Most recently modified: pyproject.toml
DEBUG No cache entry for: https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520
DEBUG Sending fresh GET request for: https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520
Building pylock @ file:///home/simon/source/private/pylock
DEBUG Building: pylock @ file:///home/simon/source/private/pylock
DEBUG Assessing Python executable as base candidate: /home/simon/.local/share/uv/python/cpython-3.14.1-linux-x86_64-gnu/bin/python3.14
DEBUG Reusing existing build environment for: pylock @ file:///home/simon/source/private/pylock
DEBUG Assessing Python executable as base candidate: /home/simon/.local/share/uv/python/cpython-3.14.1-linux-x86_64-gnu/bin/python3.14
DEBUG Using base executable for virtual environment: /home/simon/.local/share/uv/python/cpython-3.14.1-linux-x86_64-gnu/bin/python3.14
DEBUG Resolving build requirements
DEBUG Solving with installed Python version: 3.14.1
DEBUG Solving with target Python version: >=3.14.1
DEBUG Adding direct dependency: setuptools>=40.8.0
DEBUG No cache entry for: https://pypi.org/simple/setuptools/
DEBUG Sending fresh GET request for: https://pypi.org/simple/setuptools/
DEBUG Skipping file for setuptools: setuptools-0.6b1-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6b1-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6b2-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6b2-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6b3-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6b3-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6b4-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6b4-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c1-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6c1-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c10-1.src.rpm
DEBUG Skipping file for setuptools: setuptools-0.6c10-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6c10-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c10-py2.5.egg
DEBUG Skipping file for setuptools: setuptools-0.6c10-py2.6.egg
DEBUG Skipping file for setuptools: setuptools-0.6c10.win32-py2.3.exe
DEBUG Skipping file for setuptools: setuptools-0.6c10.win32-py2.4.exe
DEBUG Skipping file for setuptools: setuptools-0.6c10.win32-py2.5.exe
DEBUG Skipping file for setuptools: setuptools-0.6c10.win32-py2.6.exe
DEBUG Skipping file for setuptools: setuptools-0.6c11-1.src.rpm
DEBUG Skipping file for setuptools: setuptools-0.6c11-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6c11-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c11-py2.5.egg
DEBUG Skipping file for setuptools: setuptools-0.6c11-py2.6.egg
DEBUG Skipping file for setuptools: setuptools-0.6c11-py2.7.egg
DEBUG Skipping file for setuptools: setuptools-0.6c11.win32-py2.3.exe
DEBUG Skipping file for setuptools: setuptools-0.6c11.win32-py2.4.exe
DEBUG Skipping file for setuptools: setuptools-0.6c11.win32-py2.5.exe
DEBUG Skipping file for setuptools: setuptools-0.6c11.win32-py2.6.exe
DEBUG Skipping file for setuptools: setuptools-0.6c11.win32-py2.7.exe
DEBUG Skipping file for setuptools: setuptools-0.6c2-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6c2-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c3-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6c3-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c3-py2.5.egg
DEBUG Skipping file for setuptools: setuptools-0.6c4-1.src.rpm
DEBUG Skipping file for setuptools: setuptools-0.6c4-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6c4-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c4-py2.5.egg
DEBUG Skipping file for setuptools: setuptools-0.6c4.win32-py2.3.exe
DEBUG Skipping file for setuptools: setuptools-0.6c4.win32-py2.4.exe
DEBUG Skipping file for setuptools: setuptools-0.6c4.win32-py2.5.exe
DEBUG Skipping file for setuptools: setuptools-0.6c5-1.src.rpm
DEBUG Skipping file for setuptools: setuptools-0.6c5-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6c5-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c5-py2.5.egg
DEBUG Skipping file for setuptools: setuptools-0.6c5.win32-py2.3.exe
DEBUG Skipping file for setuptools: setuptools-0.6c5.win32-py2.4.exe
DEBUG Skipping file for setuptools: setuptools-0.6c5.win32-py2.5.exe
DEBUG Skipping file for setuptools: setuptools-0.6c6-1.src.rpm
DEBUG Skipping file for setuptools: setuptools-0.6c6-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6c6-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c6-py2.5.egg
DEBUG Skipping file for setuptools: setuptools-0.6c6.win32-py2.3.exe
DEBUG Skipping file for setuptools: setuptools-0.6c6.win32-py2.4.exe
DEBUG Skipping file for setuptools: setuptools-0.6c6.win32-py2.5.exe
DEBUG Skipping file for setuptools: setuptools-0.6c7-1.src.rpm
DEBUG Skipping file for setuptools: setuptools-0.6c7-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6c7-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c7-py2.5.egg
DEBUG Skipping file for setuptools: setuptools-0.6c7.win32-py2.3.exe
DEBUG Skipping file for setuptools: setuptools-0.6c7.win32-py2.4.exe
DEBUG Skipping file for setuptools: setuptools-0.6c7.win32-py2.5.exe
DEBUG Skipping file for setuptools: setuptools-0.6c8-1.src.rpm
DEBUG Skipping file for setuptools: setuptools-0.6c8-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6c8-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c8-py2.5.egg
DEBUG Skipping file for setuptools: setuptools-0.6c8.win32-py2.3.exe
DEBUG Skipping file for setuptools: setuptools-0.6c8.win32-py2.4.exe
DEBUG Skipping file for setuptools: setuptools-0.6c8.win32-py2.5.exe
DEBUG Skipping file for setuptools: setuptools-0.6c9-1.src.rpm
DEBUG Skipping file for setuptools: setuptools-0.6c9-py2.3.egg
DEBUG Skipping file for setuptools: setuptools-0.6c9-py2.4.egg
DEBUG Skipping file for setuptools: setuptools-0.6c9-py2.5.egg
DEBUG Skipping file for setuptools: setuptools-0.6c9-py2.6.egg
DEBUG Skipping file for setuptools: setuptools-0.6c9.win32-py2.3.exe
DEBUG Skipping file for setuptools: setuptools-0.6c9.win32-py2.4.exe
DEBUG Skipping file for setuptools: setuptools-0.6c9.win32-py2.5.exe
DEBUG Skipping file for setuptools: setuptools-18.3.1-py3.4.egg
DEBUG Searching for a compatible version of setuptools (>=40.8.0)
DEBUG Selecting: setuptools==82.0.1 [compatible] (setuptools-82.0.1-py3-none-any.whl)
DEBUG No cache entry for: https://files.pythonhosted.org/packages/9d/76/f789f7a86709c6b087c5a2f52f911838cad707cc613162401badc665acfe/setuptools-82.0.1-py3-none-any.whl.metadata
DEBUG Sending fresh GET request for: https://files.pythonhosted.org/packages/9d/76/f789f7a86709c6b087c5a2f52f911838cad707cc613162401badc665acfe/setuptools-82.0.1-py3-none-any.whl.metadata
DEBUG Tried 1 versions: setuptools 1
DEBUG marker environment resolution took 0.025s
DEBUG Installing in setuptools==82.0.1 in /tmp/.tmpsphNau/builds-v0/.tmpXxMyZE
DEBUG Identified uncached distribution: setuptools==82.0.1
DEBUG Downloading and building requirement for build: setuptools==82.0.1
DEBUG No cache entry for: https://files.pythonhosted.org/packages/9d/76/f789f7a86709c6b087c5a2f52f911838cad707cc613162401badc665acfe/setuptools-82.0.1-py3-none-any.whl
DEBUG Sending fresh GET request for: https://files.pythonhosted.org/packages/9d/76/f789f7a86709c6b087c5a2f52f911838cad707cc613162401badc665acfe/setuptools-82.0.1-py3-none-any.whl
DEBUG Installing build requirement: setuptools==82.0.1
DEBUG Failed to reflink `/tmp/.tmpsphNau/archive-v0/x9O7RZbXwSSOvUSp_3l8Q/setuptools/gui.exe` to `/tmp/.tmpsphNau/builds-v0/.tmpXxMyZE/lib/python3.14/site-packages/setuptools/gui.exe`: Operation not supported (os error 95), falling back
DEBUG Creating PEP 517 build environment
DEBUG Calling `setuptools.build_meta:__legacy__.get_requires_for_build_wheel()`
DEBUG running egg_info
DEBUG writing pylock.egg-info/PKG-INFO
DEBUG writing dependency_links to pylock.egg-info/dependency_links.txt
DEBUG writing requirements to pylock.egg-info/requires.txt
DEBUG writing top-level names to pylock.egg-info/top_level.txt
DEBUG reading manifest file 'pylock.egg-info/SOURCES.txt'
DEBUG writing manifest file 'pylock.egg-info/SOURCES.txt'
DEBUG No workspace root found, using project root
DEBUG Locking the source tree for setuptools
DEBUG Calling `setuptools.build_meta:__legacy__.build_wheel("/tmp/.tmpsphNau/builds-v0/.tmpZmaVPf", {}, None)`
DEBUG running bdist_wheel
DEBUG running build
DEBUG running build_py
DEBUG copying main.py -> build/lib
DEBUG running egg_info
DEBUG writing pylock.egg-info/PKG-INFO
DEBUG writing dependency_links to pylock.egg-info/dependency_links.txt
DEBUG writing requirements to pylock.egg-info/requires.txt
DEBUG writing top-level names to pylock.egg-info/top_level.txt
DEBUG reading manifest file 'pylock.egg-info/SOURCES.txt'
DEBUG writing manifest file 'pylock.egg-info/SOURCES.txt'
DEBUG installing to build/bdist.linux-x86_64/wheel
DEBUG running install
DEBUG running install_lib
DEBUG creating build/bdist.linux-x86_64/wheel
DEBUG copying build/lib/main.py -> build/bdist.linux-x86_64/wheel/.
DEBUG running install_egg_info
DEBUG Copying pylock.egg-info to build/bdist.linux-x86_64/wheel/./pylock-0.1.0-py3.14.egg-info
DEBUG running install_scripts
DEBUG creating build/bdist.linux-x86_64/wheel/pylock-0.1.0.dist-info/WHEEL
DEBUG creating '/tmp/.tmpsphNau/builds-v0/.tmpZmaVPf/.tmp-rxghql7q/pylock-0.1.0-py3-none-any.whl' and adding 'build/bdist.linux-x86_64/wheel' to it
DEBUG adding 'main.py'
DEBUG adding 'pylock-0.1.0.dist-info/METADATA'
DEBUG adding 'pylock-0.1.0.dist-info/WHEEL'
DEBUG adding 'pylock-0.1.0.dist-info/top_level.txt'
DEBUG adding 'pylock-0.1.0.dist-info/RECORD'
DEBUG removing build/bdist.linux-x86_64/wheel
DEBUG Built `pylock @ file:///home/simon/source/private/pylock` into `pylock-0.1.0-py3-none-any.whl`
Built pylock @ file:///home/simon/source/private/pylock
Prepared 2 packages in 601ms
DEBUG Failed to reflink `/tmp/.tmpsphNau/archive-v0/b3__ntiHfwutMsEp2S0kZ/pylock-0.1.0.dist-info/RECORD` to `/home/simon/source/private/pylock/.venv/lib/python3.14/site-packages/pylock-0.1.0.dist-info/RECORD`: Operation not supported (os error 95), falling back
DEBUG Failed to reflink `/tmp/.tmpsphNau/archive-v0/dSdvS4-qILgHneZMVFutN/protobug/_core.py` to `/home/simon/source/private/pylock/.venv/lib/python3.14/site-packages/protobug/_core.py`: Operation not supported (os error 95), falling back
Installed 2 packages in 4ms
+ protobug==0.3.0 (from https://files.pythonhosted.org/packages/f2/cc/db26b91cddffbcf0c6df7834fd642578f737fe34197635ae8ea64643a35f/protobug-0.3.0-py3-none-any.whl#sha256=ee81583f376bb38e5e7af425d2453e5e8d4b57bfbf45e5dba1a75329c2026520)
+ pylock==0.1.0 (from file:///home/simon/source/private/pylock)Platform
Linux 6.8.0-106-generic x86_64 GNU/Linux
Version
uv 0.11.2 (x86_64-unknown-linux-gnu)
Python version
Python 3.14.1