Skip to content

feat: remove input-hash for PyPI dependencies #5174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
nichmor wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat: remove input-hash for PyPI dependencies #5174

nichmor wants to merge 2 commits into from
+1,035 −349

Conversation

@nichmor
Copy link
Contributor

@nichmor nichmor commented Dec 19, 2025

Replace hash-based validation for path-based PyPI packages with metadata-based validation. Instead of computing and storing a hash of pyproject.toml, setup.py, and setup.cfg, we now:

  1. Don't store any hash in the lock file for path-based packages
  2. During satisfiability checks, parse pyproject.toml and compare the name and version with the locked metadata

This approach is similar to how PR #5011 removed input_hash for conda packages. The metadata comparison is more explicit about what changed (name vs version) rather than just indicating "something changed via hash mismatch".

Changes:

  • pypi.rs: Stop computing and storing hash for SourceDist::Path and SourceDist::Directory
  • satisfiability/mod.rs: Replace PypiSourceTreeHashable hash comparison with metadata parsing and comparison
  • Add PypiSourceMetadataMismatch and PypiSourceMetadataError types
  • Remove SourceTreeHashMismatch type and related imports

Description

Fixes #{issue}

How Has This Been Tested?

AI Disclosure

  • This PR contains AI-generated content.
    • I have tested any AI-generated content in my PR.
    • I take responsibility for any AI-generated content in my PR.

Tools: {e.g., Claude, Codex, GitHub Copilot, ChatGPT, etc.}

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added sufficient tests to cover my changes.
  • I have verified that changes that would impact the JSON schema have been made in schema/model.py.

baszalmstra
baszalmstra requested changes Dec 19, 2025
View reviewed changes
Copy link
Contributor

@baszalmstra baszalmstra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! This is a good start but its not enough, we need to also compare the requirements, required python version optional dependencies, etc. Furthermore, some fields can be dynamic which means we need to invoke python, and we might also have to deal with setup.py only sources.

@tdejager
Copy link
Contributor

tdejager commented Dec 19, 2025

Nice! This is a good start but its not enough, we need to also compare the requirements, required python version optional dependencies, etc. Furthermore, some fields can be dynamic which means we need to invoke python, and we might also have to deal with setup.py only sources.

Indeed! It might be good to let Claude explore the uv codebase as well for inspiration, although if I recall their satisfiability check is less extensive, they regenerate more often.

@lucascolley lucascolley added enhancement New features pypi Issue related to PyPI dependencies lock file labels Dec 31, 2025
This was referenced Jan 2, 2026
Open
Open
claude and others added 2 commits January 3, 2026 19:26
@claude @nichmor
feat: replace pypi input hash with metadata comparison
8ff0352 
Replace hash-based validation for path-based PyPI packages with
metadata-based validation. Instead of computing and storing a hash
of pyproject.toml, setup.py, and setup.cfg, we now:

1. Don't store any hash in the lock file for path-based packages
2. During satisfiability checks, parse pyproject.toml and compare
   the name and version with the locked metadata

This approach is similar to how PR #5011 removed input_hash for
conda packages. The metadata comparison is more explicit about what
changed (name vs version) rather than just indicating "something
changed via hash mismatch".

Changes:
- pypi.rs: Stop computing and storing hash for SourceDist::Path and
  SourceDist::Directory
- satisfiability/mod.rs: Replace PypiSourceTreeHashable hash comparison
  with metadata parsing and comparison
- Add PypiSourceMetadataMismatch and PypiSourceMetadataError types
- Remove SourceTreeHashMismatch type and related imports
@nichmor @claude
feat: replace pypi input hash with metadata comparison
2b7191e 
- Add pypi_metadata module for reading and comparing package metadata
- Build dynamic metadata using UV for packages with dynamic dependencies
- Compare requires_dist, version, and requires_python semantically
- Fall back to source tree hash comparison when build fails
- Add hatch_build.py example for testing dynamic dependencies

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@nichmor nichmor force-pushed the claude/remove-pypi-input-hash-9zwnN branch from 76d5042 to 2b7191e Compare January 3, 2026 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@baszalmstra baszalmstra baszalmstra requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

enhancement New features lock file pypi Issue related to PyPI dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@nichmor @tdejager @baszalmstra @lucascolley @claude