Skip to content

Pin codespell to an exact version and verify its hash#100

Merged
larsoner merged 1 commit into
codespell-project:masterfrom
LotemKahana:require-hashes-for-codespell
Jul 1, 2026
Merged

Pin codespell to an exact version and verify its hash#100
larsoner merged 1 commit into
codespell-project:masterfrom
LotemKahana:require-hashes-for-codespell

Conversation

@LotemKahana

Copy link
Copy Markdown
Contributor

codespell[toml]>=2.2.4 resolves to whatever's newest on PyPI at build time. Pin to 2.4.2 with its published hashes and pass --require-hashes so pip fails the build on a mismatch instead of installing whatever satisfies the range.

codespell[toml]>=2.2.4 resolves to whatever's newest on PyPI at build
time. Pin to 2.4.2 with its published hashes and pass --require-hashes
so pip fails the build on a mismatch instead of installing whatever
satisfies the range.
@larsoner larsoner merged commit 710c0e8 into codespell-project:master Jul 1, 2026
6 checks passed
@larsoner

larsoner commented Jul 1, 2026

Copy link
Copy Markdown
Member

This creates a bit more maintenance work... but probably worth it. Thanks @LotemKahana !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants