poetry 1.1.4 locks all packages to be pulled from secondary repo

Created on 29 Oct 2020  路  4Comments  路  Source: python-poetry/poetry

  • [x] I am on the latest Poetry version.
  • [x] I have searched the issues of this repo and believe that this is not a duplicate.
  • [x] If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).
  • OS version and name: macOS 10.14
  • Poetry version: 1.1.4

Issue

Hi,

I'm experiencing this behavior on 1.1.4. In pyproject.toml I have configured a secondary repo:

[[tool.poetry.source]]
name = "xxx"
url = "https://PRIVATE"
secondary = true

As such, I expect that poetry will fetch most packages from the main PyPI. And 1.1.3 indeed does that. However, 1.1.4 adds this configuration to every package (non-private as well) in poetry.lock:

[[package]]
name = "alabaster"
version = "0.7.12"
description = "A configurable sidebar-enabled Sphinx theme"
category = "main"
optional = true
python-versions = "*"

[package.source]
type = "legacy"
url = "https://PRIVATE"
reference = "xxx"

IMO this is unexpected behavior. I did git bisect and found out that this bug was introduced in 74fc8eb1cafe2006c22a969d5c0cd53968e46f2a, in an attempt to fix other pypi-related issues.

Bug Repository Triage
Source
picture maksbotan
👍12

Most helpful comment

Also affected by this.

picture aviramha on 10 Nov 2020
👍9

All 4 comments

        # Always put PyPI last to prefer private repositories
        # but only if we have no other default source
        if not poetry.pool.has_default():
            has_sources = bool(sources)
            poetry.pool.add_repository(PyPiRepository(), not has_sources, has_sources)
        else:
            if io.is_debug():
                io.write_line("Deactivating the PyPI repository")

It seems there's missing logic about secondary repos here, sth like if not poetry.pool.has_primary() would be needed (just a concept, there's no such a function as for now).

jaklan picture jaklan on 5 Nov 2020

Also affected by this.

aviramha picture aviramha on 10 Nov 2020
👍9

Also experiencing the same issue. I have fixed it on my own and was going to open a pull request but it seems it was already done :)

A quick workaround is to redefine the Pypi repository but it's kind of ugly as it add an entry "package.source" in the lock file for every package coming from Pypi.

[[tool.poetry.source]]
name = "private"
url = "https://private_url"
secondary = true
default = false

[[tool.poetry.source]]
name = "official_pypi"
url = "https://pypi.org/simple"
default = true
yebinama picture yebinama on 24 Nov 2020

@maksbotan @jaklan @aviramha @yebinama
@tomzx contributed a possible fix here: https://github.com/python-poetry/poetry/pull/3406
Would you mind testing it if you get a chance?

sinoroc picture sinoroc on 24 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jbarlow83 picture jbarlow83  路  3Comments
sobolevn picture sobolevn  路  3Comments
jackemuk picture jackemuk  路  3Comments
alexlatchford picture alexlatchford  路  3Comments
AWegnerGitHub picture AWegnerGitHub  路  3Comments