Some packages, such as pytest and Markdown, include minimum versions of setuptools in their requirements. Running pip-compile --generate-hashes without --allow-unsafe for those packages creates a requirements.txt file that doesn't work with pip install. This creates a bug that is easy to miss until deployment. Should --allow-unsafe be the default behavior for --generate-hashes?

Environment Versions

1. OS Type: macOS 10.14.4
2. Python version: Python 3.5.3
3. pip version: pip 19.1
4. pip-tools version: pip-compile, version 3.6.2.dev19+g8a1a8ef

Steps to replicate

1. New virtualenv:

$ pyenv virtualenv 3.5.3 piptest
$ pyenv local piptest
$ pip show setuptools
Name: setuptools
Version: 28.8.0

2. Require Markdown, which requires a newer version of setuptools:

$ echo "Markdown" > requirements.in
$ $ pip-compile --generate-hashes
#
# This file is autogenerated by pip-compile
# To update, run:
#
#    pip-compile --generate-hashes
#
markdown==3.1 \
    --hash=sha256:fc4a6f69a656b8d858d7503bda633f4dd63c2d70cf80abdc6eafa64c4ae8c250 \
    --hash=sha256:fe463ff51e679377e3624984c829022e2cfb3be5518726b06f608a07a3aad680

3. Attempt pip install:

$ pip install -r requirements.txt
Collecting markdown==3.1 (from -r requirements.txt (line 7))
  Using cached https://files.pythonhosted.org/packages/f5/e4/d8c18f2555add57ff21bf25af36d827145896a07607486cc79a2aea641af/Markdown-3.1-py2.py3-none-any.whl
Collecting setuptools>=36 (from markdown==3.1->-r requirements.txt (line 7))
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    setuptools>=36 from https://files.pythonhosted.org/packages/ec/51/f45cea425fd5cb0b0380f5b0f048ebc1da5b417e48d304838c02d6288a1e/setuptools-41.0.1-py2.py3-none-any.whl#sha256=c7769ce668c7a333d84e17fe8b524b1c45e7ee9f7908ad0a73e1eda7e6a5aebf (from markdown==3.1->-r requirements.txt (line 7))

Expected result

Successful install of Markdown.

Actual result

Install fails because setuptools==41.0.1 is not pinned.

Discussion

Seems like it would be good to do one of the following:

• Print a warning to use --allow-unsafe when --generate-hashes is provided and there are unsafe package requirements.
• Treat --generate-hashes as implying --allow-unsafe, maybe with a different comment in the generated requirements.txt.

I don't know why pip-compile chooses not to include setuptools or why pip chooses to require it, so I'm not sure what the correct thing to do is, but it seems like pip-compile has all the info it needs to recommend whatever that thing is.

(FWIW this is easy to miss and create latent bugs -- I did pip install Markdown first, which upgraded setuptools and masked the error, and then things broke a few days later when another dev tried to recreate their virtualenv.)