Skip to content

Private repository name gets overwritten in poetry.lock update (even when the update is for a PyPI package) #4026

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#4323
Closed
Private repository name gets overwritten in poetry.lock update (even when the update is for a PyPI package)#4026
#4323
Labels
T: bug 🐞Something isn't working
@isobelhooper

Description

@isobelhooper
isobelhooper
opened on Jul 5, 2021

Package ecosystem: Python / poetry
Package manager version: Poetry 1.1.7
Language version: Python 3.8
Manifest location and content prior to update:

Shortened and redacted pypoetry.toml:

[tool.poetry.dependencies]
python = "^3.8"
environ-config = "^20.1.0"
private-package = { version = "=0.17.0", source = "private-repository" }

[[tool.poetry.source]]
name = "pypi-default"
url = "https://pypi.org/simple/"

[[tool.poetry.source]]
name = "private-repository"
url = "https://redacted-pypi.example.com/simple/"
secondary = true

...

Shortened and redacted poetry.lock:

[[package]]
name = "environ-config"
version = "20.1.0"
description = "Boilerplate-free configuration with env variables."
category = "main"
optional = false
python-versions = "*"

[package.source]
type = "legacy"
url = "https://pypi.org/simple"
reference = "pypi-default"

[[package]]
name = "private-package"
version = "0.17.0"
description = "A package on our private PyPI-alike server."
category = "main"
optional = false
python-versions = ">=3.7,<4.0"

[package.source]
type = "legacy"
url = "https://redacted-pypi.example.com/simple/"
reference = "private-repository"

...

Updated dependency: environ-config, from 20.1.0 to 21.2.0

What you expected to see, versus what you actually saw:
Expected

  • environ-config and its dependencies have their version numbers updated in their [[package]] sections and in [metadata.files] in poetry.lock, and also in [tool.poetry.dependencies] in pyproject.toml.
  • The content-hash in the [metadata] section is updated.
  • Possibly Poetry finds some other file changes, but nothing else outside [metadata.files] or the appropriate [[package]] sections are changed.

Observed

  • environ-config and its dependencies have version numbers updated as expected.
  • content-hash is updated as expected.
  • However, the name of the private repository in poetry.lock is also changed to a 4-digit hex string in the [package.source] section for private-package:
[package.source]
type = "legacy"
url = "https://redacted-pypi.example.com/simple/"
reference = "1bd7"

but is not changed in pyproject.toml, resulting in an error in our tests of Repository "1bd7" does not exist..

Native package manager behavior

When run on the pyproject.toml file that Dependabot produces, poetry lock --no-update does not change the reference name to a hex string.

The hex string looks like it comes from config_variable_sources in PyprojectPreparer, but I'm afraid I don't know Ruby well enough to have searched any further.

Apologies for the heavily redacted manifests - I hope these are useful enough on their own, but can try to produce actual poetry.lock and pyproject.toml files that are small but still reproduce this behaviour if the excerpts above are not enough.

Metadata

Assignees

No one assigned

    Labels

    T: bug 🐞Something isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions