Add an option to make --generate-hashes terser

[wesley-dean-flexion]

What's the problem this feature will solve?

There is a tool, Checkmarx/dustilock that attempts to find requirements' versions that may allow an attacker to register malicious versions of Python and Node packages. This tool appears not to handle line continuation characters properly (as documented in Checkmarx/dustilock#5).

As a work-around, the output of pip-compile can be piped through sed to strip comments and rejoin "continued" lines.

Describe the solution you'd like

I would like to have a flag for pip-compile to suppress the inclusion of comments and line continuation syntax -- particularly when --generate-hashes is used -- and generate more terse, less human-friendly output.

Something like:

pip-compile --generate-hashes --terse -o requirements.txt requirements.in

Alternative Solutions

pip-compile --generate-hashes -o - requirements.in \
| sed \
  -Ee 's/#.*$//g' \
  -Ee ':x; /\\$/ { N; s/\\\n//; tx }' \
  -Ee 's/\s+/ /g' 

Additional context

Here's a link to an issue in the tool that's actually misinterpreting the results: Checkmarx/dustilock#5

The issue is with dustilock. The pip-compile tool is functioning correctly (i.e., this is not a bug with pip-compile). It would be understandable if the consensus was, "pip-compile is correct and there exists a work-around, so this will not be a thing we will address at this time."

Also, as a human being, I appreciate the additional effort that goes into formatting. The experience of attempting to human-read terse output is very unpleasant. That said, as a human being, I tend to favor having tools handle the minutia so I wind up not actually reading pip-compile output very often. I hope you'll forgive me.

Thank you.