Filter out yanked files (#413)

Implement two behaviors for yanked versions:

* During `pip-compile`, yanked versions are filtered out entirely, we
currently treat them is if they don't exist. This is leads to confusing
error messages because a version that does exist seems to have suddenly
disappeared.
* During `pip-sync`, we warn when we fetch a remote distribution and it
has been yanked. We currently don't warn on cached or installed
distributions that have been yanked.

crates/puffin-cli/src/commands/pip_sync.rs

@@ -3,10 +3,10 @@ use std::path::Path;
 
 use anyhow::{Context, Result};
 use colored::Colorize;
+use fs_err as fs;
 use itertools::{Either, Itertools};
 use tracing::debug;
 
-use fs_err as fs;
 use install_wheel_rs::linker::LinkMode;
 use pep508_rs::Requirement;
 use platform_host::Platform;
@@ -16,6 +16,7 @@ use puffin_dispatch::BuildDispatch;
 use puffin_distribution::{AnyDist, Metadata};
 use puffin_installer::{Builder, InstallPlan};
 use puffin_interpreter::Virtualenv;
+use pypi_types::Yanked;
 
 use crate::commands::reporters::{
     BuildReporter, DownloadReporter, FinderReporter, InstallReporter, UnzipReporter,
@@ -148,6 +149,33 @@ pub(crate) async fn sync_requirements(
         resolution.into_distributions().collect::<Vec<_>>()
     };
 
+    // TODO(konstin): Also check the cache whether any cached or installed dist is already known to
+    // have been yanked, we currently don't show this message on the second run anymore
+    for dist in &remote {
+        let Some(file) = dist.file() else {
+            continue;
+        };
+        match &file.yanked {
+            Yanked::Bool(false) => {}
+            Yanked::Bool(true) => {
+                writeln!(
+                    printer,
+                    "{}{} {dist} is yanked. Refresh your lockfile to pin an un-yanked version.",
+                    "warning".yellow().bold(),
+                    ":".bold(),
+                )?;
+            }
+            Yanked::Reason(reason) => {
+                writeln!(
+                    printer,
+                    "{}{} {dist} is yanked (reason: \"{reason}\"). Refresh your lockfile to pin an un-yanked version.",
+                    "warning".yellow().bold(),
+                    ":".bold(),
+                )?;
+            }
+        }
+    }
+
     // Download any missing distributions.
     let downloads = if remote.is_empty() {
         vec![]

crates/puffin-cli/tests/pip_compile.rs

@@ -653,19 +653,19 @@ fn compile_numpy_py38() -> Result<()> {
     requirements_in.write_str("numpy")?;
 
     insta::with_settings!({
-            filters => INSTA_FILTERS.to_vec()
-        }, {
-            assert_cmd_snapshot!(Command::new(get_cargo_bin(BIN_NAME))
-                .arg("pip-compile")
-                .arg("requirements.in")
-                .arg("--python-version")
-                .arg("py38")
-                .arg("--cache-dir")
-                .arg(cache_dir.path())
-    // Check that we select the wheel and not the sdist
-                .arg("--no-build")
-                .env("VIRTUAL_ENV", venv.as_os_str())
-                .current_dir(&temp_dir), @r###"
+        filters => INSTA_FILTERS.to_vec()
+    }, {
+        assert_cmd_snapshot!(Command::new(get_cargo_bin(BIN_NAME))
+            .arg("pip-compile")
+            .arg("requirements.in")
+            .arg("--python-version")
+            .arg("py38")
+            .arg("--cache-dir")
+            .arg(cache_dir.path())
+            // Check that we select the wheel and not the sdist
+            .arg("--no-build")
+            .env("VIRTUAL_ENV", venv.as_os_str())
+            .current_dir(&temp_dir), @r###"
             success: false
             exit_code: 2
             ----- stdout -----
@@ -674,7 +674,7 @@ fn compile_numpy_py38() -> Result<()> {
             error: Failed to build distribution: numpy-1.24.4.tar.gz
               Caused by: Building source distributions is disabled
             "###);
-        });
+    });
 
     Ok(())
 }

crates/puffin-cli/tests/pip_sync.rs

@@ -975,3 +975,39 @@ fn install_numpy_py38() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+fn warn_on_yanked_version() -> Result<()> {
+    let temp_dir = assert_fs::TempDir::new()?;
+    let cache_dir = assert_fs::TempDir::new()?;
+    let venv = temp_dir.child(".venv");
+
+    Command::new(get_cargo_bin(BIN_NAME))
+        .arg("venv")
+        .arg(venv.as_os_str())
+        .arg("--cache-dir")
+        .arg(cache_dir.path())
+        .current_dir(&temp_dir)
+        .assert()
+        .success();
+    venv.assert(predicates::path::is_dir());
+
+    let requirements_in = temp_dir.child("requirements.txt");
+    requirements_in.touch()?;
+    // This version is yanked
+    requirements_in.write_str("ipython==8.13.0")?;
+
+    insta::with_settings!({
+        filters => INSTA_FILTERS.to_vec()
+    }, {
+        assert_cmd_snapshot!(Command::new(get_cargo_bin(BIN_NAME))
+            .arg("pip-sync")
+            .arg("requirements.txt")
+            .arg("--cache-dir")
+            .arg(cache_dir.path())
+            .env("VIRTUAL_ENV", venv.as_os_str())
+            .current_dir(&temp_dir));
+    });
+
+    Ok(())
+}

crates/puffin-cli/tests/snapshots/pip_sync__warn_on_yanked_version.snap

@@ -0,0 +1,24 @@
+---
+source: crates/puffin-cli/tests/pip_sync.rs
+info:
+  program: puffin
+  args:
+    - pip-sync
+    - requirements.txt
+    - "--cache-dir"
+    - /var/folders/nt/6gf2v7_s3k13zq_t3944rwz40000gn/T/.tmpfXTdj6
+  env:
+    VIRTUAL_ENV: /var/folders/nt/6gf2v7_s3k13zq_t3944rwz40000gn/T/.tmpK8X9JT/.venv
+---
+success: true
+exit_code: 0
+----- stdout -----
+
+----- stderr -----
+Resolved 1 package in [TIME]
+warning: ipython==8.13.0 is yanked (reason: "Wrong Python Pinning"). Refresh your lockfile to pin an un-yanked version.
+Downloaded 1 package in [TIME]
+Unzipped 1 package in [TIME]
+Installed 1 package in [TIME]
+ + ipython==8.13.0
+