Enforce that built package name matches declared package name (#315)

Closes https://github.com/astral-sh/puffin/issues/306.
2025-07-07 13:25:00 +00:00 · 2023-11-03 15:58:12 -07:00 · 2023-11-03 15:58:12 -07:00 · b589813e59
commit b589813e59
parent 643cf3b3aa
5 changed files with 74 additions and 52 deletions
--- a/crates/puffin-cli/tests/pip_compile.rs
+++ b/crates/puffin-cli/tests/pip_compile.rs
@ -885,9 +885,9 @@ fn compile_git_subdirectory_dependency() -> Result<()> {
    Ok(())
 }

-/// Resolve two packages from a `requirements.in` file with the same Git HTTPS dependency.
+/// Resolve a Git dependency with a declared name that differs from the true name of the package.
 #[test]
-fn compile_git_concurrent_access() -> Result<()> {
+fn compile_git_mismatched_name() -> Result<()> {
    let temp_dir = assert_fs::TempDir::new()?;
    let cache_dir = assert_fs::TempDir::new()?;
    let venv = temp_dir.child(".venv");
--- a/crates/puffin-cli/tests/snapshots/pip_compile__compile_git_concurrent_access.snap
+++ b/crates/puffin-cli/tests/snapshots/pip_compile__compile_git_concurrent_access.snap
@ -1,43 +0,0 @@
---
-source: crates/puffin-cli/tests/pip_compile.rs
-info:
-  program: puffin
-  args:
-    - pip-compile
-    - requirements.in
-    - "--cache-dir"
-    - /var/folders/nt/6gf2v7_s3k13zq_t3944rwz40000gn/T/.tmp6j5dBk
-  env:
-    VIRTUAL_ENV: /var/folders/nt/6gf2v7_s3k13zq_t3944rwz40000gn/T/.tmpYyHlPp/.venv
---
-success: true
-exit_code: 0
----- stdout -----
-# This file was autogenerated by Puffin v0.0.1 via the following command:
-#    [BIN_PATH] pip-compile requirements.in --cache-dir [CACHE_DIR]
-click==8.1.7
-    # via
-    #   dask
-    #   flask
-dask @ git+https://github.com/pallets/flask.git@735a4701d6d5e848241e7d7535db898efb62d400
-flask @ git+https://github.com/pallets/flask.git@2f0c62f5e6e290843f03c1fa70817c7a3c7fd661
-itsdangerous==2.1.2
-    # via
-    #   dask
-    #   flask
-jinja2==3.1.2
-    # via
-    #   dask
-    #   flask
-markupsafe==2.1.3
-    # via
-    #   jinja2
-    #   werkzeug
-werkzeug==3.0.1
-    # via
-    #   dask
-    #   flask
-
----- stderr -----
-Resolved 7 packages in [TIME]
-
--- a/crates/puffin-cli/tests/snapshots/pip_compile__compile_git_mismatched_name.snap
+++ b/crates/puffin-cli/tests/snapshots/pip_compile__compile_git_mismatched_name.snap
@ -0,0 +1,19 @@
+---
+source: crates/puffin-cli/tests/pip_compile.rs
+info:
+  program: puffin
+  args:
+    - pip-compile
+    - requirements.in
+    - "--cache-dir"
+    - /var/folders/nt/6gf2v7_s3k13zq_t3944rwz40000gn/T/.tmpGuzVHM
+  env:
+    VIRTUAL_ENV: /var/folders/nt/6gf2v7_s3k13zq_t3944rwz40000gn/T/.tmpwgTo7l/.venv
+---
+success: false
+exit_code: 2
+----- stdout -----
+
+----- stderr -----
+error: Package metadata name `flask` does not match given name `dask`
+
--- a/crates/puffin-resolver/src/error.rs
+++ b/crates/puffin-resolver/src/error.rs
@ -3,6 +3,7 @@ use thiserror::Error;
 use url::Url;

 use pep508_rs::Requirement;
+use puffin_normalize::PackageName;

 use crate::pubgrub::{PubGrubPackage, PubGrubVersion};

@ -26,6 +27,12 @@ pub enum ResolveError {
    #[error(transparent)]
    PubGrub(#[from] pubgrub::error::PubGrubError<PubGrubPackage, Range<PubGrubVersion>>),

+    #[error("Package metadata name `{metadata}` does not match given name `{given}`")]
+    NameMismatch {
+        given: PackageName,
+        metadata: PackageName,
+    },
+
    #[error("Failed to build distribution: {filename}")]
    RegistryDistribution {
        filename: String,
--- a/crates/puffin-resolver/src/resolver.rs
+++ b/crates/puffin-resolver/src/resolver.rs
@ -354,7 +354,10 @@ impl<'a, Context: BuildContext + Sync> Resolver<'a, Context> {
            match candidate.file {
                DistributionFile::Wheel(file) => {
                    if in_flight.insert_file(&file) {
-                        request_sink.unbounded_send(Request::Wheel(file.clone()))?;
+                        request_sink.unbounded_send(Request::Wheel(
+                            candidate.package_name.clone(),
+                            file.clone(),
+                        ))?;
                    }
                }
                DistributionFile::Sdist(file) => {
@ -441,7 +444,10 @@ impl<'a, Context: BuildContext + Sync> Resolver<'a, Context> {
                match candidate.file {
                    DistributionFile::Wheel(file) => {
                        if in_flight.insert_file(&file) {
-                            request_sink.unbounded_send(Request::Wheel(file.clone()))?;
+                            request_sink.unbounded_send(Request::Wheel(
+                                candidate.package_name.clone(),
+                                file.clone(),
+                            ))?;
                        }
                    }
                    DistributionFile::Sdist(file) => {
@ -663,12 +669,21 @@ impl<'a, Context: BuildContext + Sync> Resolver<'a, Context> {
                    .await
            }
            // Fetch wheel metadata from the registry.
-            Request::Wheel(file) => {
-                self.client
+            Request::Wheel(package_name, file) => {
+                let metadata = self
+                    .client
                    .file(file.clone().into())
-                    .map_ok(move |metadata| Response::Wheel(file, metadata))
                    .map_err(ResolveError::Client)
-                    .await
+                    .await?;
+
+                if metadata.name != package_name {
+                    return Err(ResolveError::NameMismatch {
+                        metadata: metadata.name,
+                        given: package_name,
+                    });
+                }
+
+                Ok(Response::Wheel(file, metadata))
            }
            // Build a source distribution from the registry, returning its metadata.
            Request::Sdist(package_name, version, file) => {
@ -697,6 +712,14 @@ impl<'a, Context: BuildContext + Sync> Resolver<'a, Context> {
                            })?
                    }
                };
+
+                if metadata.name != package_name {
+                    return Err(ResolveError::NameMismatch {
+                        metadata: metadata.name,
+                        given: package_name,
+                    });
+                }
+
                Ok(Response::Sdist(file, metadata))
            }
            // Build a source distribution from a remote URL, returning its metadata.
@ -746,6 +769,14 @@ impl<'a, Context: BuildContext + Sync> Resolver<'a, Context> {
                            })?
                    }
                };
+
+                if metadata.name != package_name {
+                    return Err(ResolveError::NameMismatch {
+                        metadata: metadata.name,
+                        given: package_name,
+                    });
+                }
+
                Ok(Response::SdistUrl(url, precise, metadata))
            }
            // Fetch wheel metadata from a remote URL.
@ -781,6 +812,14 @@ impl<'a, Context: BuildContext + Sync> Resolver<'a, Context> {
                            })?
                    }
                };
+
+                if metadata.name != package_name {
+                    return Err(ResolveError::NameMismatch {
+                        metadata: metadata.name,
+                        given: package_name,
+                    });
+                }
+
                Ok(Response::WheelUrl(url, None, metadata))
            }
        }
@ -825,7 +864,7 @@ enum Request {
    /// A request to fetch the metadata for a package.
    Package(PackageName),
    /// A request to fetch wheel metadata from a registry.
-    Wheel(WheelFile),
+    Wheel(PackageName, WheelFile),
    /// A request to fetch source distribution metadata from a registry.
    Sdist(PackageName, pep440_rs::Version, SdistFile),
    /// A request to fetch wheel metadata from a remote URL.