Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

poetry 1.1.4 locks all packages to be pulled from secondary repo

See original GitHub issue

  • I am on the latest Poetry version.

  • I have searched the issues of this repo and believe that this is not a duplicate.

  • If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

  • OS version and name: macOS 10.14

  • Poetry version: 1.1.4

Issue

Hi,

I’m experiencing this behavior on 1.1.4. In pyproject.toml I have configured a secondary repo:

[[tool.poetry.source]]
name = "xxx"
url = "https://PRIVATE"
secondary = true

As such, I expect that poetry will fetch most packages from the main PyPI. And 1.1.3 indeed does that. However, 1.1.4 adds this configuration to every package (non-private as well) in poetry.lock:

[[package]]
name = "alabaster"
version = "0.7.12"
description = "A configurable sidebar-enabled Sphinx theme"
category = "main"
optional = true
python-versions = "*"

[package.source]
type = "legacy"
url = "https://PRIVATE"
reference = "xxx"

IMO this is unexpected behavior. I did git bisect and found out that this bug was introduced in 74fc8eb1cafe2006c22a969d5c0cd53968e46f2a, in an attempt to fix other pypi-related issues.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:19
  • Comments:9 (2 by maintainers)

github_iconTop GitHub Comments

14reactions
aviramhacommented, Nov 10, 2020

Also affected by this.

5reactions
dwyattecommented, Apr 7, 2021

@sinoroc I can confirm that this is still affecting poetry 1.1.5. Here’s a simple pyproject.toml that uses https://mirrors.aliyun.com/pypi/simple/ as a secondary index:

[tool.poetry]
name = "poetry-3306"
version = "0.0.1"
description = ""
authors = []

[tool.poetry.dependencies]
alabaster = "0.7.12"

[[tool.poetry.source]]
name = "xxx"
url = "https://mirrors.aliyun.com/pypi/simple/"
secondary = true

And the resulting poetry.lock:

[[package]]
name = "alabaster"
version = "0.7.12"
description = "A configurable sidebar-enabled Sphinx theme"
category = "main"
optional = false
python-versions = "*"

[package.source]
type = "legacy"
url = "https://mirrors.aliyun.com/pypi/simple"
reference = "xxx"

[metadata]
lock-version = "1.1"
python-versions = "*"
content-hash = "db905a1e716f615a6a6b2ec78b39cfafb347e0fd2d32e1a09c25486f5e292751"

[metadata.files]
alabaster = [
    {file = "alabaster-0.7.12-py2.py3-none-any.whl", hash = "sha256:446438bdcca0e05bd45ea2de1668c1d9b032e1a9154c2c259092d77031ddd359"},
    {file = "alabaster-0.7.12.tar.gz", hash = "sha256:a661d72d58e6ea8a57f7a86e37d86716863ee5e92788398526d58b26a4e4dc02"},
]

alabaster should be pulled from pypi.org since I’ve marked https://mirrors.aliyun.com/pypi/simple/ as secondary.

Read more comments on GitHub >

github_iconTop Results From Across the Web

poetry 1.1.4 locks all packages to be pulled from secondary repo
[x] I have searched the issues of this repo and believe that this is not a duplicate. [x] If an exception occurs when...
Read more >
Commands | Documentation | Poetry - Python dependency ...
This will resolve all dependencies of the project and write the exact versions into poetry.lock . If you just want to update a...
Read more >
poetry install | SolverProblemError Because my_project ...
The problem with your current pyproject.toml is, that you declare built-in packages as dependencies, like os, pathlib, string and others. This ...
Read more >
Why you should use Poetry instead of Pip or Conda for Python ...
The use of pyproject.toml and poetry.lock files make it similar to the way the Node Package Manager (npm) for Node.js works.
Read more >
Or Why Should You Use Poetry to Manage Python ...
How do you lock all dependencies to a hash? Let's says if one of packages that you depend on decided to depend on...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

The 'poetry run' command should not execute binaries installed outside of the environment

Next page

Don't publish if version already exists