diff --git a/crates/uv/tests/it/pip_install.rs b/crates/uv/tests/it/pip_install.rs index 4dc571a4c..d62ec59e8 100644 --- a/crates/uv/tests/it/pip_install.rs +++ b/crates/uv/tests/it/pip_install.rs @@ -6667,6 +6667,48 @@ fn require_hashes() -> Result<()> { Ok(()) } +/// Use `--require-hashes` when there are no hashes for build dependencies. +#[test] +fn require_hashes_build_dependencies() -> Result<()> { + let context = TestContext::new("3.12"); + + // Write to a requirements file. + let requirements_txt = context.temp_dir.child("requirements.txt"); + requirements_txt.write_str(indoc::indoc! {r" + anyio==4.0.0 \ + --hash=sha256:cfdb2b588b9fc25ede96d8db56ed50848b0b649dca3dd1df0b11f683bb9e0b5f \ + --hash=sha256:f7ed51751b2c2add651e5747c891b47e26d2a21be5d32d9311dfe9692f3e5d7a + idna==3.6 \ + --hash=sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca \ + --hash=sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f + # via anyio + sniffio==1.3.1 \ + --hash=sha256:2f6da418d1f1e0fddd844478f41680e794e6051915791a034ff65e5f100525a2 \ + --hash=sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc + # via anyio + "})?; + + uv_snapshot!(context.pip_install() + .arg("--no-binary").arg(":all:") + .arg("-r") + .arg("requirements.txt") + .arg("--require-hashes"), @r" + success: false + exit_code: 1 + ----- stdout ----- + + ----- stderr ----- + Resolved 3 packages in [TIME] + × Failed to download and build `idna==3.6` + ├─▶ Failed to resolve requirements from `build-system.requires` + ├─▶ No solution found when resolving: `flit-core>=3.2, <4` + ╰─▶ In `--require-hashes` mode, all requirements must be pinned upfront with `==`, but found: `flit-core` + " + ); + + Ok(()) +} + /// Omit hashes for dependencies with `--require-hashes`, which is allowed with `--no-deps`. #[test] fn require_hashes_no_deps() -> Result<()> {