Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Private repository has being added to every single package in poetry.lock

See original GitHub issue

I am on the latest Poetry version.
I have searched the issues of this repo and believe that this is not a duplicate.
If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

OS version and name: macOS Big Sur version: 11.6.1
Poetry version: 1.1.11

Issue

For almost all packages that we have in pyproject.toml we also have an entry having the [package.source] of our private repository

like:


[[package]]
name = "async-generator"
version = "1.10"
description = "Async generators and context managers for Python 3.5+"
category = "dev"
optional = false
python-versions = ">=3.5"

[package.source]
type = "legacy"
url = "https://private-repository-address/api/pypi/python/simple"
reference = "private-repository"

[[package]]
name = "atomicwrites"
version = "1.4.0"
description = "Atomic file writes."
category = "dev"
optional = false
python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"

[package.source]
type = "legacy"
url = "https://private-repository-address/api/pypi/python/simple"
reference = "private-repository"

is this behaviour expected?

Issue Analytics

State:
Created 2 years ago
Reactions:5
Comments:6 (1 by maintainers)

Top GitHub Comments

1reaction

wackydoocommented, Jan 12, 2022

I am also seeing this behaviour when pointing to a private repository served using devpi. I was initially using a private devpi index which inherited root/pypi so therefore the private repo was able to provide the pypi packages. Lock file urls confirmed that the pypi packages were being source from the private repo. When I reconfigured such that the private repository to no longer inherit root/pypi, then I saw the same problem as the @drsantos20 - the lock file was still using the private repo url for sourcing the pypi packages, so failed to download them.

I was able to fix this by running poetry cache clear --all <private-reponame>.

0reactions

neersightedcommented, Oct 4, 2022

This is by design and if unexpected is mostly a user error. If you set a source as primary (no default = true or secondary = true), it will be checked first, before PyPI. If a package is available there, Poetry will lock it there, instead of from PyPI. If you wanted to consider PyPI first, you should likely set secondary = true, and consider setting source = to avoid dependency confusion attacks.

Obviously this mechanism is rather coarse and most would likely rather see something more fine-grained. See https://github.com/python-poetry/poetry/pull/5984#issuecomment-1237245571 for a proposal for a more granular solution.