Missing continuation \ in requirement files cause hashes to be silently ignored

[sbidoul]

A requirements file like this (note the missing \ after the requirement) can be installed without error nor warning, and the provided hash is silently ignored.

lxml==4.9.2
  --hash sha256:7b515674acfdcadb0eb5d00d8a709868173acece5cb0be3dd165950cbfdf540x

This is not strictly a bug but this can be misleading.

[uranusjr]

I’m not particularly concerned about this since it only affects cases which you have only one requirement, or somehow miss all the backslashes.

[pfmoore]

Agreed. It's ultimately user error, and while we could add some sort of heuristics (the second line starts with a space, so that means you probably intended it to be a continuation) or warning, ultimately there's no real fix here apart from designing a "requirements 2.0" format with stricter syntax and clearer failure behaviours.

If we could warn "line 2 has options (--hash) but no requirement, and will be ignored" then I guess there's no harm in that, but I wouldn't put too much effort into it.

[sbidoul]

A little warning is easy enough to add: #11940.