# chainctl libraries update-hashes

URL: https://edu.chainguard.dev/chainguard/chainctl/chainctl-docs/chainctl_libraries_update-hashes.md
Last Modified: April 23, 2026
Tags: chainctl, Reference, Product

 chainctl libraries update-hashes Update lockfile integrity hashes with Chainguard Libraries checksums
Synopsis update-hashes reads package lockfiles and updates integrity hashes with checksums from Chainguard Libraries.
Provide a path to a specific lockfile, or omit it to auto-detect a lockfile in the current directory.
By default, Chainguard hashes are appended alongside existing hashes in supported formats (e.g. pip-tools, poetry). Use &ndash;replace to replace them.
Note: formats that store a single hash per artifact (uv.lock, pdm.lock, pylock.toml) always replace — &ndash;replace has no effect on them.
JavaScript formats:
package-lock.json (npm v2/v3) yarn.lock (v1 and berry/v2+) pnpm-lock.yaml bun.lock Python formats:
requirements.txt (pip-tools, with &ndash;hash) poetry.lock pdm.lock uv.lock pylock.toml (PEP 751) Pipfile.lock The ecosystem is auto-detected from the lockfile name. Use &ndash;ecosystem to override.
For Python, hashes are fetched from the Chainguard Libraries &ldquo;python&rdquo; catalog by default. Use &ndash;remediated to fetch from &ldquo;python-remediated&rdquo; (CVE-patched packages), and &ndash;cuda to also include packages from the matching CUDA variant catalog.
chainctl libraries update-hashes [lockfile-path] [flags] Examples # Auto-detect lockfile in the current directory chainctl libraries update-hashes # Update hashes in a specific npm lockfile chainctl libraries update-hashes package-lock.json # Update hashes in a Python pip-tools requirements file chainctl libraries update-hashes path/to/requirements.txt # Preview changes without writing the file chainctl libraries update-hashes --dry-run package-lock.json # Replace hashes (instead of appending alongside existing ones) chainctl libraries update-hashes --replace uv.lock # Include CUDA variant packages for Python chainctl libraries update-hashes --cuda cu128 uv.lock Options --cuda string CUDA variant to include alongside python (e.g. &#34;cu124&#34;, &#34;cu130&#34;) --dry-run Show what would change without writing --ecosystem string Ecosystem: &#34;auto&#34;, &#34;js&#34;, or &#34;python&#34; (default &#34;auto&#34;) --ecosystems-url string URL for the Ecosystems Proxy (defaults to https://libraries.cgr.dev) --no-color Disable colored output --parent string Parent organization for authentication --remediated Use python-remediated registry (Python only) --replace Replace integrity hashes instead of appending (no-op for formats that only support replacement) Options inherited from parent commands --api string The url of the Chainguard platform API. (default &#34;https://console-api.enforce.dev&#34;) --audience string The Chainguard token audience to request. (default &#34;https://console-api.enforce.dev&#34;) --config string A specific chainctl config file. Uses CHAINCTL_CONFIG environment variable if a file is not passed explicitly. --console string The url of the Chainguard platform Console. (default &#34;https://console.chainguard.dev&#34;) --force-color Force color output even when stdout is not a TTY. -h, --help Help for chainctl --issuer string The url of the Chainguard STS endpoint. (default &#34;https://issuer.enforce.dev&#34;) --log-level string Set the log level (debug, info) (default &#34;ERROR&#34;) -o, --output string Output format. One of: [csv, env, go-template, id, json, markdown, none, table, terse, tree, wide] -v, --v int Set the log verbosity level. SEE ALSO chainctl libraries	- Ecosystem library related commands.