Open NevoleMarek opened 1 month ago
So, today, you would do something like this in your pyproject.toml
:
[tool.uv]
extra-index-url = ["https://pypi.example.org/simple/"]
uv will then look in https://pypi.example.org/simple/
before looking in PyPI, and if a package exists on that index, it won't check PyPI at all.
We'll likely add a more granular index API in the future that looks more like what you get in Poetry, PDM, or Rye.
If you want to replace PyPI entirely, you can do:
[tool.uv]
index-url = "https://pypi.example.org/simple/"
Alternatively, you can define these globally in ~/.config/uv/uv.toml
:
extra-index-url = ["https://pypi.example.org/simple/"]
Thanks for the response
I guess the setting extra-index-url
with index-strategy = "first-index"
will do for now.
Looking forward to more granular API in the future.
One thing I would like to prevent via the future API is dependency confusion attacks.
Makes sense. Our default strategy is more resilient to such attacks than pip (since, if a package exists on your index, we won't even look at PyPI, even if a more recent version is available there), but we do want to add an API that allows for explicit package-to-index assignments.
Regarding private source repository, is there a way to provide credentials?
The simplest way would be to add the private source repo as extra-index-url
already with the credentials as follows:
[tool.uv]
extra-index-url = ["https://<username>:<password>@<index_url>"]
But as you can imagine this not the safest option. A bit more cumbersome but viable option is to specify the index and credentials with the uv add
command and environment variables.
uv add package --extra-index-url https://${USERNAME}:${PASSWORD}@<index_url>
What I would like to see in the future is something similar to Poetry's way of doing this.
In addition to simple addition of sources they also provide the following way to add credentials to the sources.
poetry config http-basic.your_index <username> <password>
find more here
There are other options that uv
recommends for http authentication but they are not the simplest either or maybe I am missing something
@NevoleMarek thanks, I'll check it out!
See also:
Actually I like the idea of using keyring and KWallet integration. Way better than storing passwords in open text.
Still no alternative to the poetry config http-basic.your_index <username> <password>
?
Hi, I d'like to transition from
poetry
touv
. What I am missing is a way of using private repositories as source for packages.Poetry allows to add private repositories like so:
poetry source add --priority=supplemental foo https://pypi.example.org/simple/
and then to install package from the repository like so:
poetry add --source foo private-package
Can this be sensibly done using
uv
?I guess it could somehow be done via HTTP URLs but that seems a bit cumbersome.