Redact index sources in uv.lock (#8333)

## Summary Closes https://github.com/astral-sh/uv/issues/8296.
2025-08-04 19:08:04 +00:00 · 2024-10-18 11:20:15 -04:00 · 2024-10-18 11:20:15 -04:00 · a459052f44
commit a459052f44
parent 23c80c547c
3 changed files with 12 additions and 41 deletions
--- a/crates/uv-pypi-types/src/requirement.rs
+++ b/crates/uv-pypi-types/src/requirement.rs
@ -70,43 +70,6 @@ impl Requirement {
        self.source.is_editable()
    }

-    /// Remove any sensitive credentials from the requirement.
-    #[must_use]
-    pub fn redact(self) -> Requirement {
-        match self.source {
-            RequirementSource::Git {
-                mut repository,
-                reference,
-                precise,
-                subdirectory,
-                url,
-            } => {
-                // Redact the repository URL, but allow `git@`.
-                redact_credentials(&mut repository);
-
-                // Redact the PEP 508 URL.
-                let mut url = url.to_url();
-                redact_credentials(&mut url);
-                let url = VerbatimUrl::from_url(url);
-
-                Self {
-                    name: self.name,
-                    extras: self.extras,
-                    marker: self.marker,
-                    source: RequirementSource::Git {
-                        repository,
-                        reference,
-                        precise,
-                        subdirectory,
-                        url,
-                    },
-                    origin: self.origin,
-                }
-            }
-            _ => self,
-        }
-    }
-
    /// Convert the requirement to a [`Requirement`] relative to the given path.
    pub fn relative_to(self, path: &Path) -> Result<Self, io::Error> {
        Ok(Self {
@ -614,7 +577,15 @@ enum RequirementSourceWire {
 impl From<RequirementSource> for RequirementSourceWire {
    fn from(value: RequirementSource) -> Self {
        match value {
-            RequirementSource::Registry { specifier, index } => Self::Registry { specifier, index },
+            RequirementSource::Registry {
+                specifier,
+                mut index,
+            } => {
+                if let Some(index) = index.as_mut() {
+                    redact_credentials(index);
+                }
+                Self::Registry { specifier, index }
+            }
            RequirementSource::Url {
                subdirectory,
                location,
@ -625,7 +596,7 @@ impl From<RequirementSource> for RequirementSourceWire {
                subdirectory: subdirectory
                    .as_deref()
                    .and_then(Path::to_str)
-                    .map(str::to_string),
+                    .map(ToString::to_string),
            },
            RequirementSource::Git {
                repository,
--- a/crates/uv/tests/it/lock.rs
+++ b/crates/uv/tests/it/lock.rs
@ -6501,7 +6501,7 @@ fn lock_redact_index_sources() -> Result<()> {
        ]

        [package.metadata]
-        requires-dist = [{ name = "iniconfig", specifier = ">=2", index = "https://public:heron@pypi-proxy.fly.dev/basic-auth/simple" }]
+        requires-dist = [{ name = "iniconfig", specifier = ">=2", index = "https://pypi-proxy.fly.dev/basic-auth/simple" }]

        [[package]]
        name = "iniconfig"
--- a/docs/configuration/indexes.md
+++ b/docs/configuration/indexes.md
@ -150,7 +150,7 @@ Alternatively, credentials can be embedded directly in the index definition:
 ```toml
 [[tool.uv.index]]
 name = "internal"
-url = "https://public:koala@https://pypi-proxy.corp.dev/simple"
+url = "https://public:koala@pypi-proxy.corp.dev/simple"
 ```

 For security purposes, credentials are _never_ stored in the `uv.lock` file; as such, uv _must_ have