mirror of
https://github.com/astral-sh/uv.git
synced 2025-07-07 21:35:00 +00:00
f84faf726a
uv’s default index strategy was designed with dependency confusion attacks in mind. [According to the docs](https://docs.astral.sh/uv/configuration/indexes/#searching-across-multiple-indexes), “if a package exists on an internal index, it should always be installed from the internal index, and never from PyPI”. Unfortunately, this is not true in the case where authentication fails on that internal index. In that case, uv will simply try the next index (even on the `first-index` strategy). This means that uv is not secure by default in this common scenario. This PR causes uv to stop searching for a package if it encounters an authentication failure at an index. It is possible to opt out of this behavior for an index with a new `pyproject.toml` option `ignore-error-codes`. For example: ``` [[tool.uv.index]] name = "my-index" url = "<index-url>" ignore-error-codes = [401, 403] ``` This will also enable users to handle idiosyncratic registries in a more fine-grained way. For example, PyTorch registries return a 403 when a package is not found. In this PR, we special-case PyTorch registries to ignore 403s, but users can use `ignore-error-codes` to handle similar behaviors if they encounter them on internal registries. Depends on #12651 Closes #9429 Closes #12362 |
||
|---|---|---|
| .. | ||
| .overrides | ||
| assets | ||
| concepts | ||
| configuration | ||
| getting-started | ||
| guides | ||
| js | ||
| pip | ||
| reference | ||
| stylesheets | ||
| .gitignore | ||
| index.md | ||
| requirements-insiders.in | ||
| requirements-insiders.txt | ||
| requirements.in | ||
| requirements.txt | ||