Turn --verify-hashes on by default

Fixes astral-sh#9164
hauntsaninja · Nov 17, 2024 · 8bb839e · 8bb839e
1 parent fb3f365
commit 8bb839e
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 5 deletions.
diff --git a/crates/uv-settings/src/settings.rs b/crates/uv-settings/src/settings.rs
@@ -1348,7 +1348,7 @@ pub struct PipOptions {
     /// hashes; instead, it will limit itself to verifying the hashes of those requirements that do
     /// include them.
     #[option(
-        default = "false",
+        default = "true",
         value_type = "bool",
         example = r#"
             verify-hashes = true

diff --git a/crates/uv/src/settings.rs b/crates/uv/src/settings.rs
@@ -2004,7 +2004,7 @@ impl BuildSettings {
                 .collect(),
             hash_checking: HashCheckingMode::from_args(
                 flag(require_hashes, no_require_hashes).unwrap_or_default(),
-                flag(verify_hashes, no_verify_hashes).unwrap_or_default(),
+                flag(verify_hashes, no_verify_hashes).unwrap_or(true),
             ),
             python: python.and_then(Maybe::into_option),
             refresh: Refresh::from(refresh),
@@ -2646,7 +2646,7 @@ impl PipSettings {
                     .unwrap_or_default(),
                 args.verify_hashes
                     .combine(verify_hashes)
-                    .unwrap_or_default(),
+                    .unwrap_or(true),
             ),
             python: args.python.combine(python),
             system: args.system.combine(system).unwrap_or_default(),

diff --git a/crates/uv/tests/it/pip_install.rs b/crates/uv/tests/it/pip_install.rs
@@ -6241,6 +6241,23 @@ fn verify_hashes_mismatch() -> Result<()> {
     "###
     );
 
+    uv_snapshot!(context.pip_install()
+        .arg("-r")
+        .arg("requirements.txt")
+        .arg("--no-verify-hashes"), @r###"
+    success: true
+    exit_code: 0
+    ----- stdout -----
+
+    ----- stderr -----
+    Resolved 3 packages in [TIME]
+    Installed 3 packages in [TIME]
+     + anyio==4.0.0
+     + idna==3.6
+     + sniffio==1.3.1
+    "###
+    );
+
     Ok(())
 }
 

diff --git a/docs/reference/settings.md b/docs/reference/settings.md
@@ -3104,7 +3104,7 @@ Unlike `--require-hashes`, `--verify-hashes` does not require that all requireme
 hashes; instead, it will limit itself to verifying the hashes of those requirements that do
 include them.
 
-**Default value**: `false`
+**Default value**: `true`
 
 **Type**: `bool`
 
@@ -3124,4 +3124,3 @@ include them.
     ```
 
 ---
-