Enforce hashes in lockfile install (#5170)

## Summary Hashes will be validated if present, but aren't required (since, e.g., some registries will omit them, as will Git dependencies and such). Closes https://github.com/astral-sh/uv/issues/5168.
2025-10-29 03:02:55 +00:00 · 2024-07-17 19:10:37 -04:00 · 2024-07-17 19:10:37 -04:00 · 6a49dba30c
commit 6a49dba30c
parent 218ae2c13e
7 changed files with 148 additions and 12 deletions
--- a/crates/uv-resolver/src/lock.rs
+++ b/crates/uv-resolver/src/lock.rs
@ -382,6 +382,7 @@ impl Lock {
        }

        let mut map = BTreeMap::default();
+        let mut hashes = BTreeMap::default();
        while let Some((dist, extra)) = queue.pop_front() {
            let deps =
                if let Some(extra) = extra {
@ -406,13 +407,14 @@ impl Lock {
                    }
                }
            }
-            let name = dist.id.name.clone();
-            let resolved_dist =
-                ResolvedDist::Installable(dist.to_dist(project.workspace().install_path(), tags)?);
-            map.insert(name, resolved_dist);
+            map.insert(
+                dist.id.name.clone(),
+                ResolvedDist::Installable(dist.to_dist(project.workspace().install_path(), tags)?),
+            );
+            hashes.insert(dist.id.name.clone(), dist.hashes());
        }
        let diagnostics = vec![];
-        Ok(Resolution::new(map, diagnostics))
+        Ok(Resolution::new(map, hashes, diagnostics))
    }

    /// Returns the TOML representation of this lock file.
--- a/crates/uv-resolver/src/resolution/graph.rs
+++ b/crates/uv-resolver/src/resolution/graph.rs
@ -489,6 +489,10 @@ impl From<ResolutionGraph> for distribution_types::Resolution {
                .dists()
                .map(|node| (node.name().clone(), node.dist.clone()))
                .collect(),
+            graph
+                .dists()
+                .map(|node| (node.name().clone(), node.hashes.clone()))
+                .collect(),
            graph.diagnostics,
        )
    }