Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Associate dependency with source
See original GitHub issueI have two entries in my pyproject.toml of the following form.
dependencies = [
...
"internal-package~=1.0",
]
[[tool.pdm.source]]
url = "https://gitlab.company.com/api/v4/projects/309/packages/pypi/simple"
verify_ssl = true
name = "custom-packages-1"
This possibly causes a name collision issue if somebody uploads a package called internal-package to pypi: (will pdm use the package from pypi or from my custom source?
It also appears to slow down pdm, as I presume pdm is searching for requests, pandas etc. in my custom source instead of only on pypi.
Both of these issues could be solved if there were a way to associate a particular dependency with a particular source.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:4
- Comments:16 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@ElijahSink Unfortunately the former, pip fetches candidates from all indexes and sorts them together to get the best match. We already have a plan to implement our own package finder to replace pip’s. So let’s leave it for this release and do improvements in the future.
Another mitigation for this dependency confusion issue is to follow some pattern for naming your internal packages, such as reducing the chances a public package uses the same name. Something like org-team-project-name. You’d have to keep this pattern and name private/hidden/secret of course (not public).