mirror of
https://github.com/astral-sh/uv.git
synced 2025-08-04 10:58:28 +00:00
5e351343da
Previously, `uv` would always prioritize the index given by `--index-url`. It would then try any indexes after that given by zero or more `--extra-index-url` flags. This differed from `pip` in that any priority was given at all, where `pip` doesn't guarantee any priority ordering of indexes. We could go in the direction of mimicing `pip`'s behavior here, but it at present has issues with dependency confusion attacks where packages may get installed from indexes you don't control. More specifically, there is an issue of different trust levels. See discussion in #171 and [PEP-0708] for more on the security impact. In contrast, `uv` will only select versions for a package from a single index. That is, even if `foo` is in indexes `a` and `b`, it will only consider the versions from the index that it checks first. This probably helps with respect to dependency confusion attacks, but also means that `uv` doesn't quite cover all of the same use cases as `pip`. In this PR, we retain the notion of prioritizing indexes, but tweak it so that PyPI is preferred last as opposed to first. Or more precisely, the `--index-url` flag specifies a fallback index, not the primary index, and is deprioritized beneath every index specified by `--extra-index-url`. The ordering among indexes given by `--extra-index-url` remains the same: earlier indexes are prioritized over later indexes. While this tweak likely won't hit all use cases, I believe it will resolve some of the most common pain points without exacerbating dependency confusion problems. Ref #171, Fixes #1377, Fixes #1451, Fixes #1600 [PEP-0708]: https://peps.python.org/pep-0708/ |
||
|---|---|---|
| .. | ||
| src | ||
| tests | ||
| Cargo.toml | ||
| README.md | ||
pypi-client
A general-use client for interacting with PyPI.
Loosely modeled after Orogene's oro-client.