Skip to content
Latchkey

pip "Hashes are required in --require-hashes mode" in CI

You turned on --require-hashes, which demands every requirement be pinned with == and carry a hash. One requirement - often a transitive one - has no hash, so pip refuses the whole install.

What this error means

pip stops with "Hashes are required in --require-hashes mode, but they are missing" (or "all requirements must have their versions pinned with =="), naming the requirement that lacks a hash. Common when hash mode is on but the file was hand-maintained.

pip output
ERROR: In --require-hashes mode, all requirements must have their versions
pinned with ==. These do not:
    idna (from requests==2.31.0)
Hashes are required in --require-hashes mode, but they are missing from some
requirements.

Common causes

A transitive dependency has no hash

Hash mode is all-or-nothing. A dependency pulled in transitively (here idna) must also be pinned with == and hashed, or pip rejects the run.

Hash mode enabled on a hand-written file

Adding --require-hashes (or --hash on one line) to a manually maintained requirements file leaves most lines unpinned/unhashed, which is invalid in this mode.

How to fix it

Generate a fully hashed lockfile

Compile the file so every direct and transitive requirement is pinned with == and hashed.

Terminal
pip install pip-tools
pip-compile --generate-hashes requirements.in
pip install --require-hashes -r requirements.txt

Or drop hash mode if you do not need it

If supply-chain pinning is not a requirement for this pipeline, remove --require-hashes and the per-line --hash options.

How to prevent it

  • Generate hashed lockfiles with pip-tools or uv; never hand-edit them.
  • Keep direct and transitive requirements pinned with == under hash mode.
  • Run pip install --require-hashes in CI to validate the lock.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →