UX: `pdm update --update-all` vs `pdm outdated` inconsistency

polarathene commented 2 months ago

[x] I have searched the issue tracker and believe that this is not a duplicate.

Steps to reproduce

pyproject.toml:

[project]
name = "comfyui"
dependencies = [
    "torch==2.3+cu121",
    "torchsde",
    "torchvision",
    "torchaudio",
    "einops",
    "transformers>=4.25.1",
    "safetensors>=0.4.2",
    "aiohttp",
    "pyyaml",
    "pillow",
    "scipy",
    "tqdm",
    "psutil",
    "kornia>=0.7.1",
    "spandrel",
    "soundfile",
]
requires-python = ">=3.9"

[tool.pdm]
distribution = false

[[tool.pdm.source]]
name = "pytorch"
url = "https://download.pytorch.org/whl/cu121"
include_packages = ["torch", "torchvision", "torchaudio"]

An attempt to update packages after an install:

$ pdm update --update-all

/root/.local/share/pdm/venv/lib64/python3.12/site-packages/pdm/resolver/providers.py:196: PackageWarning: Skipping networkx@3.3 because it requires Python>=3.10 but the project claims to work with Python>=3.9. Instead, another
version of networkx that supports Python>=3.9 will be used.
If you want to install networkx@3.3, narrow down the `requires-python` range to include this version. For example, ">=3.10" should work.
  return self.repository.find_candidates(
INFO: Use `-q/--quiet` to suppress these warnings, or ignore them per-package with `ignore_package_warnings` config in [tool.pdm] table.
🔒 Lock successful
All packages are synced to date, nothing to do.

🎉 All complete!

No concerns with the output there, although I didn't notice any packages updated.

$ pdm outdated

Failed to collect links from https://download.pytorch.org/whl/cu121/kornia-rs/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/pyyaml/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/cffi/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/aiohttp/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/safetensors/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/frozenlist/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/psutil/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/yarl/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/scipy/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/tokenizers/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/multidict/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/pycparser/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/regex/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/soundfile/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/transformers/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/trampoline/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/einops/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/torchsde/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/spandrel/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/huggingface-hub/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/attrs/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/aiosignal/: Client Error(403): Forbidden
Failed to collect links from https://download.pytorch.org/whl/cu121/kornia/: Client Error(403): Forbidden
╭──────────────────────────┬──────────────┬─────────────┬──────────────╮
│ Package                  │ Installed    │ Pinned      │ Latest       │
├──────────────────────────┼──────────────┼─────────────┼──────────────┤
│ networkx                 │ 3.2.1        │ 3.2.1       │ 3.3          │
│ nvidia-cublas-cu12       │ 12.1.3.1     │ 12.1.3.1    │ 12.5.2.13    │
│ nvidia-cuda-cupti-cu12   │ 12.1.105     │ 12.1.105    │ 12.5.39      │
│ nvidia-cuda-nvrtc-cu12   │ 12.1.105     │ 12.1.105    │ 12.5.40      │
│ nvidia-cuda-runtime-cu12 │ 12.1.105     │ 12.1.105    │ 12.5.39      │
│ nvidia-cudnn-cu12        │ 8.9.2.26     │ 8.9.2.26    │ 9.1.1.17     │
│ nvidia-cufft-cu12        │ 11.0.2.54    │ 11.0.2.54   │ 11.2.3.18    │
│ nvidia-curand-cu12       │ 10.3.2.106   │ 10.3.2.106  │ 10.3.6.39    │
│ nvidia-cusolver-cu12     │ 11.4.5.107   │ 11.4.5.107  │ 11.6.2.40    │
│ nvidia-cusparse-cu12     │ 12.1.0.106   │ 12.1.0.106  │ 12.4.1.24    │
│ nvidia-nccl-cu12         │ 2.20.5       │ 2.20.5      │ 2.22.3       │
│ nvidia-nvtx-cu12         │ 12.1.105     │ 12.1.105    │ 12.5.39      │
│ torch                    │ 2.3.0+cu121  │ 2.3.0+cu121 │ 2.3.1+cu121  │
│ torchaudio               │ 2.3.0+cu121  │ 2.3.0       │ 2.3.1+cu121  │
│ torchvision              │ 0.18.0+cu121 │ 0.18.0      │ 0.18.1+cu121 │
╰──────────────────────────┴──────────────┴─────────────┴──────────────╯

Perhaps the pdm outdated command is a little misleading there? The docs description does not convey that latest is the latest version for that package, not the latest version that can be resolved for pdm update?

The nvidia packages also probably shouldn't have a latest of 12.5 considering the 12.1 torch dependencies and intended index for them, but as they're implicit I guess they're being resolved without the PyTorch index? (It also seems to understand that the torch deps are installed with +cu121, but only recognizes the explicit pin for torch with +cu121, yet correctly recognizes +cu121 for the update?)

Yet with -v it can be observed that the update for the packages listed above does not occur because of the pyproject.toml pin torch==2.3.0+cu121 (AFAIK only == / != are compatible when a local identifier is present).

`pdm update -v --outdated` output

```console $ pdm update -v --outdated STATUS: Resolving dependencies pdm.termui: ======== Start resolving requirements ======== pdm.termui: torch==2.3+cu121 pdm.termui: torchsde pdm.termui: torchvision pdm.termui: torchaudio pdm.termui: einops pdm.termui: transformers>=4.25.1 pdm.termui: safetensors>=0.4.2 pdm.termui: aiohttp pdm.termui: pyyaml pdm.termui: pillow pdm.termui: scipy pdm.termui: tqdm pdm.termui: psutil pdm.termui: kornia>=0.7.1 pdm.termui: spandrel pdm.termui: soundfile pdm.termui: python>=3.9 pdm.termui: Adding requirement torch==2.3+cu121 pdm.termui: Adding requirement torchsde unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/torchsde/: Client Error(403): Forbidden pdm.termui: Adding requirement torchvision pdm.termui: Adding requirement torchaudio pdm.termui: Adding requirement einops unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/einops/: Client Error(403): Forbidden pdm.termui: Adding requirement transformers>=4.25.1 unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/transformers/: Client Error(403): Forbidden pdm.termui: Adding requirement safetensors>=0.4.2 unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/safetensors/: Client Error(403): Forbidden pdm.termui: Adding requirement aiohttp unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/aiohttp/: Client Error(403): Forbidden pdm.termui: Adding requirement pyyaml unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/pyyaml/: Client Error(403): Forbidden pdm.termui: Adding requirement pillow pdm.termui: Adding requirement scipy unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/scipy/: Client Error(403): Forbidden pdm.termui: Adding requirement tqdm pdm.termui: Adding requirement psutil unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/psutil/: Client Error(403): Forbidden pdm.termui: Adding requirement kornia>=0.7.1 unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/kornia/: Client Error(403): Forbidden pdm.termui: Adding requirement spandrel unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/spandrel/: Client Error(403): Forbidden pdm.termui: Adding requirement soundfile unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/soundfile/: Client Error(403): Forbidden pdm.termui: Adding requirement python>=3.9 pdm.termui: ======== Starting round 0 ======== STATUS: Resolving: new pin python>=3.9 pdm.termui: Pinning: python None pdm.termui: ======== Ending round 0 ======== pdm.termui: ======== Starting round 1 ======== pdm.termui: Adding requirement filelock(from torch 2.3.0+cu121) pdm.termui: Adding requirement typing-extensions>=4.8.0(from torch 2.3.0+cu121) pdm.termui: Adding requirement sympy(from torch 2.3.0+cu121) pdm.termui: Adding requirement networkx(from torch 2.3.0+cu121) pdm.termui: Adding requirement jinja2(from torch 2.3.0+cu121) pdm.termui: Adding requirement fsspec(from torch 2.3.0+cu121) pdm.termui: Adding requirement nvidia-cuda-nvrtc-cu12==12.1.105; platform_system == "Linux" and platform_machine == "x86_64"(from torch 2.3.0+cu121) pdm.termui: Adding requirement nvidia-cuda-runtime-cu12==12.1.105; platform_system == "Linux" and platform_machine == "x86_64"(from torch 2.3.0+cu121) pdm.termui: Adding requirement nvidia-cuda-cupti-cu12==12.1.105; platform_system == "Linux" and platform_machine == "x86_64"(from torch 2.3.0+cu121) pdm.termui: Adding requirement nvidia-cudnn-cu12==8.9.2.26; platform_system == "Linux" and platform_machine == "x86_64"(from torch 2.3.0+cu121) pdm.termui: Adding requirement nvidia-cublas-cu12==12.1.3.1; platform_system == "Linux" and platform_machine == "x86_64"(from torch 2.3.0+cu121) pdm.termui: Adding requirement nvidia-cufft-cu12==11.0.2.54; platform_system == "Linux" and platform_machine == "x86_64"(from torch 2.3.0+cu121) pdm.termui: Adding requirement nvidia-curand-cu12==10.3.2.106; platform_system == "Linux" and platform_machine == "x86_64"(from torch 2.3.0+cu121) pdm.termui: Adding requirement nvidia-cusolver-cu12==11.4.5.107; platform_system == "Linux" and platform_machine == "x86_64"(from torch 2.3.0+cu121) pdm.termui: Adding requirement nvidia-cusparse-cu12==12.1.0.106; platform_system == "Linux" and platform_machine == "x86_64"(from torch 2.3.0+cu121) pdm.termui: Adding requirement nvidia-nccl-cu12==2.20.5; platform_system == "Linux" and platform_machine == "x86_64"(from torch 2.3.0+cu121) pdm.termui: Adding requirement nvidia-nvtx-cu12==12.1.105; platform_system == "Linux" and platform_machine == "x86_64"(from torch 2.3.0+cu121) pdm.termui: Adding requirement triton==2.3.0; platform_system == "Linux" and platform_machine == "x86_64" and python_version < "3.12"(from torch 2.3.0+cu121) pdm.termui: Adding requirement mkl<=2021.4.0,>=2021.1.1; platform_system == "Windows"(from torch 2.3.0+cu121) STATUS: Resolving: new pin torch 2.3.0+cu121 pdm.termui: Pinning: torch 2.3.0+cu121 pdm.termui: ======== Ending round 1 ======== pdm.termui: ======== Starting round 2 ======== pdm.termui: Adding requirement kornia-rs>=0.1.0(from kornia 0.7.2) pdm.termui: Adding requirement packaging(from kornia 0.7.2) pdm.termui: Adding requirement torch>=1.9.1(from kornia 0.7.2) STATUS: Resolving: new pin kornia 0.7.2 pdm.termui: Pinning: kornia 0.7.2 pdm.termui: ======== Ending round 2 ======== pdm.termui: ======== Starting round 3 ======== STATUS: Resolving: new pin safetensors 0.4.3 pdm.termui: Pinning: safetensors 0.4.3 pdm.termui: ======== Ending round 3 ======== pdm.termui: ======== Starting round 4 ======== pdm.termui: Adding requirement filelock(from transformers 4.41.2) pdm.termui: Adding requirement huggingface-hub<1.0,>=0.23.0(from transformers 4.41.2) pdm.termui: Adding requirement numpy>=1.17(from transformers 4.41.2) pdm.termui: Adding requirement packaging>=20.0(from transformers 4.41.2) pdm.termui: Adding requirement pyyaml>=5.1(from transformers 4.41.2) unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/pyyaml/: Client Error(403): Forbidden pdm.termui: Adding requirement regex!=2019.12.17(from transformers 4.41.2) pdm.termui: Adding requirement requests(from transformers 4.41.2) pdm.termui: Adding requirement tokenizers<0.20,>=0.19(from transformers 4.41.2) pdm.termui: Adding requirement safetensors>=0.4.1(from transformers 4.41.2) unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/safetensors/: Client Error(403): Forbidden pdm.termui: Adding requirement tqdm>=4.27(from transformers 4.41.2) STATUS: Resolving: new pin transformers 4.41.2 pdm.termui: Pinning: transformers 4.41.2 pdm.termui: ======== Ending round 4 ======== pdm.termui: ======== Starting round 5 ======== STATUS: Resolving: new pin pyyaml 6.0.1 pdm.termui: Pinning: pyyaml 6.0.1 pdm.termui: ======== Ending round 5 ======== pdm.termui: ======== Starting round 6 ======== pdm.termui: Adding requirement colorama; platform_system == "Windows"(from tqdm 4.66.4) STATUS: Resolving: new pin tqdm 4.66.4 pdm.termui: Pinning: tqdm 4.66.4 pdm.termui: ======== Ending round 6 ======== pdm.termui: ======== Starting round 7 ======== pdm.termui: Adding requirement aiosignal>=1.1.2(from aiohttp 3.9.5) pdm.termui: Adding requirement attrs>=17.3.0(from aiohttp 3.9.5) pdm.termui: Adding requirement frozenlist>=1.1.1(from aiohttp 3.9.5) pdm.termui: Adding requirement multidict<7.0,>=4.5(from aiohttp 3.9.5) pdm.termui: Adding requirement yarl<2.0,>=1.0(from aiohttp 3.9.5) pdm.termui: Adding requirement async-timeout<5.0,>=4.0; python_version < "3.11"(from aiohttp 3.9.5) STATUS: Resolving: new pin aiohttp 3.9.5 pdm.termui: Pinning: aiohttp 3.9.5 pdm.termui: ======== Ending round 7 ======== pdm.termui: ======== Starting round 8 ======== STATUS: Resolving: new pin einops 0.8.0 pdm.termui: Pinning: einops 0.8.0 pdm.termui: ======== Ending round 8 ======== pdm.termui: ======== Starting round 9 ======== STATUS: Resolving: new pin pillow 10.3.0 pdm.termui: Pinning: pillow 10.3.0 pdm.termui: ======== Ending round 9 ======== pdm.termui: ======== Starting round 10 ======== STATUS: Resolving: new pin psutil 6.0.0 pdm.termui: Pinning: psutil 6.0.0 pdm.termui: ======== Ending round 10 ======== pdm.termui: ======== Starting round 11 ======== pdm.termui: Adding requirement numpy<2.3,>=1.22.4(from scipy 1.13.1) STATUS: Resolving: new pin scipy 1.13.1 pdm.termui: Pinning: scipy 1.13.1 pdm.termui: ======== Ending round 11 ======== pdm.termui: ======== Starting round 12 ======== pdm.termui: Adding requirement cffi>=1.0(from soundfile 0.12.1) STATUS: Resolving: new pin soundfile 0.12.1 pdm.termui: Pinning: soundfile 0.12.1 pdm.termui: ======== Ending round 12 ======== pdm.termui: ======== Starting round 13 ======== pdm.termui: Adding requirement torch(from spandrel 0.3.4) pdm.termui: Adding requirement torchvision(from spandrel 0.3.4) pdm.termui: Adding requirement safetensors(from spandrel 0.3.4) unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/safetensors/: Client Error(403): Forbidden pdm.termui: Adding requirement numpy(from spandrel 0.3.4) pdm.termui: Adding requirement einops(from spandrel 0.3.4) unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/einops/: Client Error(403): Forbidden pdm.termui: Adding requirement typing-extensions(from spandrel 0.3.4) STATUS: Resolving: new pin spandrel 0.3.4 pdm.termui: Pinning: spandrel 0.3.4 pdm.termui: ======== Ending round 13 ======== pdm.termui: ======== Starting round 14 ======== pdm.termui: Adding requirement torch==2.3.1(from torchaudio 2.3.1+cu121) pdm.termui: Candidate rejected: torchaudio@2.3.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement torch==2.3.1(from torchaudio 2.3.1+cu121) pdm.termui: Candidate rejected: torchaudio@2.3.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement torch==2.3.1(from torchaudio 2.3.1+cu121) pdm.termui: Candidate rejected: torchaudio@2.3.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement torch==2.3.1(from torchaudio 2.3.1+cu121) pdm.termui: Candidate rejected: torchaudio@2.3.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement torch==2.3.1(from torchaudio 2.3.1+cu121) pdm.termui: Candidate rejected: torchaudio@2.3.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement torch==2.3.1(from torchaudio 2.3.1+cu121) pdm.termui: Candidate rejected: torchaudio@2.3.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement torch==2.3.1(from torchaudio 2.3.1+cu121) pdm.termui: Candidate rejected: torchaudio@2.3.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement torch==2.3.1(from torchaudio 2.3.1+cu121) pdm.termui: Candidate rejected: torchaudio@2.3.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement torch==2.3.1(from torchaudio 2.3.1+cu121) pdm.termui: Candidate rejected: torchaudio@2.3.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement torch==2.3.1(from torchaudio 2.3.1+cu121) pdm.termui: Candidate rejected: torchaudio@2.3.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement torch==2.3.0(from torchaudio 2.3.0+cu121) STATUS: Resolving: new pin torchaudio 2.3.0+cu121 pdm.termui: Pinning: torchaudio 2.3.0+cu121 pdm.termui: ======== Ending round 14 ======== pdm.termui: ======== Starting round 15 ======== pdm.termui: Adding requirement numpy>=1.19(from torchsde 0.2.6) pdm.termui: Adding requirement scipy>=1.5(from torchsde 0.2.6) unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/scipy/: Client Error(403): Forbidden pdm.termui: Adding requirement torch>=1.6.0(from torchsde 0.2.6) pdm.termui: Adding requirement trampoline>=0.1.2(from torchsde 0.2.6) STATUS: Resolving: new pin torchsde 0.2.6 pdm.termui: Pinning: torchsde 0.2.6 pdm.termui: ======== Ending round 15 ======== pdm.termui: ======== Starting round 16 ======== pdm.termui: Adding requirement numpy(from torchvision 0.18.1+cu121) pdm.termui: Adding requirement torch==2.3.1(from torchvision 0.18.1+cu121) pdm.termui: Candidate rejected: torchvision@0.18.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch==2.3.0 (from torchaudio@2.3.0+cu121) torch>=1.6.0 (from torchsde@0.2.6) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement numpy(from torchvision 0.18.1+cu121) pdm.termui: Adding requirement torch==2.3.1(from torchvision 0.18.1+cu121) pdm.termui: Candidate rejected: torchvision@0.18.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch==2.3.0 (from torchaudio@2.3.0+cu121) torch>=1.6.0 (from torchsde@0.2.6) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement numpy(from torchvision 0.18.1+cu121) pdm.termui: Adding requirement torch==2.3.1(from torchvision 0.18.1+cu121) pdm.termui: Candidate rejected: torchvision@0.18.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch==2.3.0 (from torchaudio@2.3.0+cu121) torch>=1.6.0 (from torchsde@0.2.6) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement numpy(from torchvision 0.18.1+cu121) pdm.termui: Adding requirement torch==2.3.1(from torchvision 0.18.1+cu121) pdm.termui: Candidate rejected: torchvision@0.18.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch==2.3.0 (from torchaudio@2.3.0+cu121) torch>=1.6.0 (from torchsde@0.2.6) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement numpy(from torchvision 0.18.1+cu121) pdm.termui: Adding requirement torch==2.3.1(from torchvision 0.18.1+cu121) pdm.termui: Candidate rejected: torchvision@0.18.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch==2.3.0 (from torchaudio@2.3.0+cu121) torch>=1.6.0 (from torchsde@0.2.6) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement numpy(from torchvision 0.18.1+cu121) pdm.termui: Adding requirement torch==2.3.1(from torchvision 0.18.1+cu121) pdm.termui: Candidate rejected: torchvision@0.18.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch==2.3.0 (from torchaudio@2.3.0+cu121) torch>=1.6.0 (from torchsde@0.2.6) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement numpy(from torchvision 0.18.1+cu121) pdm.termui: Adding requirement torch==2.3.1(from torchvision 0.18.1+cu121) pdm.termui: Candidate rejected: torchvision@0.18.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch==2.3.0 (from torchaudio@2.3.0+cu121) torch>=1.6.0 (from torchsde@0.2.6) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement numpy(from torchvision 0.18.1+cu121) pdm.termui: Adding requirement torch==2.3.1(from torchvision 0.18.1+cu121) pdm.termui: Candidate rejected: torchvision@0.18.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch==2.3.0 (from torchaudio@2.3.0+cu121) torch>=1.6.0 (from torchsde@0.2.6) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement numpy(from torchvision 0.18.1+cu121) pdm.termui: Adding requirement torch==2.3.1(from torchvision 0.18.1+cu121) pdm.termui: Candidate rejected: torchvision@0.18.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch==2.3.0 (from torchaudio@2.3.0+cu121) torch>=1.6.0 (from torchsde@0.2.6) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement numpy(from torchvision 0.18.1+cu121) pdm.termui: Adding requirement torch==2.3.1(from torchvision 0.18.1+cu121) pdm.termui: Candidate rejected: torchvision@0.18.1+cu121 because it introduces a new requirement torch==2.3.1 that conflicts with other requirements: torch (from spandrel@0.3.4) torch==2.3+cu121 (from project) torch==2.3.0 (from torchaudio@2.3.0+cu121) torch>=1.6.0 (from torchsde@0.2.6) torch>=1.9.1 (from kornia@0.7.2) pdm.termui: Adding requirement numpy(from torchvision 0.18.0+cu121) pdm.termui: Adding requirement torch==2.3.0(from torchvision 0.18.0+cu121) pdm.termui: Adding requirement pillow!=8.3.*,>=5.3.0(from torchvision 0.18.0+cu121) STATUS: Resolving: new pin torchvision 0.18.0+cu121 pdm.termui: Pinning: torchvision 0.18.0+cu121 pdm.termui: ======== Ending round 16 ======== pdm.termui: ======== Starting round 17 ======== STATUS: Resolving: new pin nvidia-cublas-cu12 12.1.3.1 pdm.termui: Pinning: nvidia-cublas-cu12 12.1.3.1 pdm.termui: ======== Ending round 17 ======== pdm.termui: ======== Starting round 18 ======== STATUS: Resolving: new pin nvidia-cuda-cupti-cu12 12.1.105 pdm.termui: Pinning: nvidia-cuda-cupti-cu12 12.1.105 pdm.termui: ======== Ending round 18 ======== pdm.termui: ======== Starting round 19 ======== STATUS: Resolving: new pin nvidia-cuda-nvrtc-cu12 12.1.105 pdm.termui: Pinning: nvidia-cuda-nvrtc-cu12 12.1.105 pdm.termui: ======== Ending round 19 ======== pdm.termui: ======== Starting round 20 ======== STATUS: Resolving: new pin nvidia-cuda-runtime-cu12 12.1.105 pdm.termui: Pinning: nvidia-cuda-runtime-cu12 12.1.105 pdm.termui: ======== Ending round 20 ======== pdm.termui: ======== Starting round 21 ======== pdm.termui: Adding requirement nvidia-cublas-cu12(from nvidia-cudnn-cu12 8.9.2.26) STATUS: Resolving: new pin nvidia-cudnn-cu12 8.9.2.26 pdm.termui: Pinning: nvidia-cudnn-cu12 8.9.2.26 pdm.termui: ======== Ending round 21 ======== pdm.termui: ======== Starting round 22 ======== STATUS: Resolving: new pin nvidia-cufft-cu12 11.0.2.54 pdm.termui: Pinning: nvidia-cufft-cu12 11.0.2.54 pdm.termui: ======== Ending round 22 ======== pdm.termui: ======== Starting round 23 ======== STATUS: Resolving: new pin nvidia-curand-cu12 10.3.2.106 pdm.termui: Pinning: nvidia-curand-cu12 10.3.2.106 pdm.termui: ======== Ending round 23 ======== pdm.termui: ======== Starting round 24 ======== pdm.termui: Adding requirement nvidia-cublas-cu12(from nvidia-cusolver-cu12 11.4.5.107) pdm.termui: Adding requirement nvidia-nvjitlink-cu12(from nvidia-cusolver-cu12 11.4.5.107) pdm.termui: Adding requirement nvidia-cusparse-cu12(from nvidia-cusolver-cu12 11.4.5.107) STATUS: Resolving: new pin nvidia-cusolver-cu12 11.4.5.107 pdm.termui: Pinning: nvidia-cusolver-cu12 11.4.5.107 pdm.termui: ======== Ending round 24 ======== pdm.termui: ======== Starting round 25 ======== pdm.termui: Adding requirement nvidia-nvjitlink-cu12(from nvidia-cusparse-cu12 12.1.0.106) STATUS: Resolving: new pin nvidia-cusparse-cu12 12.1.0.106 pdm.termui: Pinning: nvidia-cusparse-cu12 12.1.0.106 pdm.termui: ======== Ending round 25 ======== pdm.termui: ======== Starting round 26 ======== STATUS: Resolving: new pin nvidia-nccl-cu12 2.20.5 pdm.termui: Pinning: nvidia-nccl-cu12 2.20.5 pdm.termui: ======== Ending round 26 ======== pdm.termui: ======== Starting round 27 ======== STATUS: Resolving: new pin nvidia-nvtx-cu12 12.1.105 pdm.termui: Pinning: nvidia-nvtx-cu12 12.1.105 pdm.termui: ======== Ending round 27 ======== pdm.termui: ======== Starting round 28 ======== pdm.termui: Adding requirement filelock(from triton 2.3.0) STATUS: Resolving: new pin triton 2.3.0 pdm.termui: Pinning: triton 2.3.0 pdm.termui: ======== Ending round 28 ======== pdm.termui: ======== Starting round 29 ======== STATUS: Resolving: new pin numpy 2.0.0 pdm.termui: Pinning: numpy 2.0.0 pdm.termui: ======== Ending round 29 ======== pdm.termui: ======== Starting round 30 ======== STATUS: Resolving: new pin async-timeout 4.0.3 pdm.termui: Pinning: async-timeout 4.0.3 pdm.termui: ======== Ending round 30 ======== pdm.termui: ======== Starting round 31 ======== pdm.termui: Adding requirement filelock(from huggingface-hub 0.23.4) pdm.termui: Adding requirement fsspec>=2023.5.0(from huggingface-hub 0.23.4) pdm.termui: Adding requirement packaging>=20.9(from huggingface-hub 0.23.4) pdm.termui: Adding requirement pyyaml>=5.1(from huggingface-hub 0.23.4) unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/pyyaml/: Client Error(403): Forbidden pdm.termui: Adding requirement requests(from huggingface-hub 0.23.4) pdm.termui: Adding requirement tqdm>=4.42.1(from huggingface-hub 0.23.4) pdm.termui: Adding requirement typing-extensions>=3.7.4.3(from huggingface-hub 0.23.4) STATUS: Resolving: new pin huggingface-hub 0.23.4 pdm.termui: Pinning: huggingface-hub 0.23.4 pdm.termui: ======== Ending round 31 ======== pdm.termui: ======== Starting round 32 ======== pdm.termui: Adding requirement intel-openmp==2021.*(from mkl 2021.4.0) pdm.termui: Adding requirement tbb==2021.*(from mkl 2021.4.0) STATUS: Resolving: new pin mkl 2021.4.0 pdm.termui: Pinning: mkl 2021.4.0 pdm.termui: ======== Ending round 32 ======== pdm.termui: ======== Starting round 33 ======== STATUS: Resolving: new pin intel-openmp 2021.4.0 pdm.termui: Pinning: intel-openmp 2021.4.0 pdm.termui: ======== Ending round 33 ======== pdm.termui: ======== Starting round 34 ======== STATUS: Resolving: new pin tbb 2021.13.0 pdm.termui: Pinning: tbb 2021.13.0 pdm.termui: ======== Ending round 34 ======== pdm.termui: ======== Starting round 35 ======== STATUS: Resolving: new pin multidict 6.0.5 pdm.termui: Pinning: multidict 6.0.5 pdm.termui: ======== Ending round 35 ======== pdm.termui: ======== Starting round 36 ======== STATUS: Resolving: new pin packaging 24.1 pdm.termui: Pinning: packaging 24.1 pdm.termui: ======== Ending round 36 ======== pdm.termui: ======== Starting round 37 ======== pdm.termui: Adding requirement huggingface-hub<1.0,>=0.16.4(from tokenizers 0.19.1) STATUS: Resolving: new pin tokenizers 0.19.1 pdm.termui: Pinning: tokenizers 0.19.1 pdm.termui: ======== Ending round 37 ======== pdm.termui: ======== Starting round 38 ======== STATUS: Resolving: new pin typing-extensions 4.12.2 pdm.termui: Pinning: typing-extensions 4.12.2 pdm.termui: ======== Ending round 38 ======== pdm.termui: ======== Starting round 39 ======== pdm.termui: Adding requirement idna>=2.0(from yarl 1.9.4) pdm.termui: Adding requirement multidict>=4.0(from yarl 1.9.4) STATUS: Resolving: new pin yarl 1.9.4 pdm.termui: Pinning: yarl 1.9.4 pdm.termui: ======== Ending round 39 ======== pdm.termui: ======== Starting round 40 ======== pdm.termui: Adding requirement frozenlist>=1.1.0(from aiosignal 1.3.1) STATUS: Resolving: new pin aiosignal 1.3.1 pdm.termui: Pinning: aiosignal 1.3.1 pdm.termui: ======== Ending round 40 ======== pdm.termui: ======== Starting round 41 ======== STATUS: Resolving: new pin frozenlist 1.4.1 pdm.termui: Pinning: frozenlist 1.4.1 pdm.termui: ======== Ending round 41 ======== pdm.termui: ======== Starting round 42 ======== STATUS: Resolving: new pin attrs 23.2.0 pdm.termui: Pinning: attrs 23.2.0 pdm.termui: ======== Ending round 42 ======== pdm.termui: ======== Starting round 43 ======== pdm.termui: Adding requirement pycparser(from cffi 1.16.0) STATUS: Resolving: new pin cffi 1.16.0 pdm.termui: Pinning: cffi 1.16.0 pdm.termui: ======== Ending round 43 ======== pdm.termui: ======== Starting round 44 ======== STATUS: Resolving: new pin fsspec 2024.6.0 pdm.termui: Pinning: fsspec 2024.6.0 pdm.termui: ======== Ending round 44 ======== pdm.termui: ======== Starting round 45 ======== STATUS: Resolving: new pin kornia-rs 0.1.3 pdm.termui: Pinning: kornia-rs 0.1.3 pdm.termui: ======== Ending round 45 ======== pdm.termui: ======== Starting round 46 ======== STATUS: Resolving: new pin regex 2024.5.15 pdm.termui: Pinning: regex 2024.5.15 pdm.termui: ======== Ending round 46 ======== pdm.termui: ======== Starting round 47 ======== STATUS: Resolving: new pin trampoline 0.1.2 pdm.termui: Pinning: trampoline 0.1.2 pdm.termui: ======== Ending round 47 ======== pdm.termui: ======== Starting round 48 ======== STATUS: Resolving: new pin colorama 0.4.6 pdm.termui: Pinning: colorama 0.4.6 pdm.termui: ======== Ending round 48 ======== pdm.termui: ======== Starting round 49 ======== STATUS: Resolving: new pin filelock 3.15.3 pdm.termui: Pinning: filelock 3.15.3 pdm.termui: ======== Ending round 49 ======== pdm.termui: ======== Starting round 50 ======== pdm.termui: Adding requirement MarkupSafe>=2.0(from jinja2 3.1.4) STATUS: Resolving: new pin jinja2 3.1.4 pdm.termui: Pinning: jinja2 3.1.4 pdm.termui: ======== Ending round 50 ======== pdm.termui: ======== Starting round 51 ======== STATUS: Resolving: new pin networkx 3.2.1 pdm.termui: Pinning: networkx 3.2.1 pdm.termui: ======== Ending round 51 ======== pdm.termui: ======== Starting round 52 ======== pdm.termui: Adding requirement charset-normalizer<4,>=2(from requests 2.32.3) pdm.termui: Adding requirement idna<4,>=2.5(from requests 2.32.3) pdm.termui: Adding requirement urllib3<3,>=1.21.1(from requests 2.32.3) pdm.termui: Adding requirement certifi>=2017.4.17(from requests 2.32.3) STATUS: Resolving: new pin requests 2.32.3 pdm.termui: Pinning: requests 2.32.3 pdm.termui: ======== Ending round 52 ======== pdm.termui: ======== Starting round 53 ======== pdm.termui: Adding requirement mpmath<1.4.0,>=1.1.0(from sympy 1.12.1) STATUS: Resolving: new pin sympy 1.12.1 pdm.termui: Pinning: sympy 1.12.1 pdm.termui: ======== Ending round 53 ======== pdm.termui: ======== Starting round 54 ======== STATUS: Resolving: new pin idna 3.7 pdm.termui: Pinning: idna 3.7 pdm.termui: ======== Ending round 54 ======== pdm.termui: ======== Starting round 55 ======== STATUS: Resolving: new pin charset-normalizer 3.3.2 pdm.termui: Pinning: charset-normalizer 3.3.2 pdm.termui: ======== Ending round 55 ======== pdm.termui: ======== Starting round 56 ======== STATUS: Resolving: new pin mpmath 1.3.0 pdm.termui: Pinning: mpmath 1.3.0 pdm.termui: ======== Ending round 56 ======== pdm.termui: ======== Starting round 57 ======== STATUS: Resolving: new pin urllib3 2.2.2 pdm.termui: Pinning: urllib3 2.2.2 pdm.termui: ======== Ending round 57 ======== pdm.termui: ======== Starting round 58 ======== STATUS: Resolving: new pin certifi 2024.6.2 pdm.termui: Pinning: certifi 2024.6.2 pdm.termui: ======== Ending round 58 ======== pdm.termui: ======== Starting round 59 ======== STATUS: Resolving: new pin markupsafe 2.1.5 pdm.termui: Pinning: markupsafe 2.1.5 pdm.termui: ======== Ending round 59 ======== pdm.termui: ======== Starting round 60 ======== STATUS: Resolving: new pin nvidia-nvjitlink-cu12 12.5.40 pdm.termui: Pinning: nvidia-nvjitlink-cu12 12.5.40 pdm.termui: ======== Ending round 60 ======== pdm.termui: ======== Starting round 61 ======== STATUS: Resolving: new pin pycparser 2.22 pdm.termui: Pinning: pycparser 2.22 pdm.termui: ======== Ending round 61 ======== pdm.termui: ======== Starting round 62 ======== pdm.termui: ======== Resolution Result ======== pdm.termui: Stable pins: pdm.termui: python None pdm.termui: torch 2.3.0+cu121 pdm.termui: kornia 0.7.2 pdm.termui: safetensors 0.4.3 pdm.termui: transformers 4.41.2 pdm.termui: pyyaml 6.0.1 pdm.termui: tqdm 4.66.4 pdm.termui: aiohttp 3.9.5 pdm.termui: einops 0.8.0 pdm.termui: pillow 10.3.0 pdm.termui: psutil 6.0.0 pdm.termui: scipy 1.13.1 pdm.termui: soundfile 0.12.1 pdm.termui: spandrel 0.3.4 pdm.termui: torchaudio 2.3.0+cu121 pdm.termui: torchsde 0.2.6 pdm.termui: torchvision 0.18.0+cu121 pdm.termui: nvidia-cublas-cu12 12.1.3.1 pdm.termui: nvidia-cuda-cupti-cu12 12.1.105 pdm.termui: nvidia-cuda-nvrtc-cu12 12.1.105 pdm.termui: nvidia-cuda-runtime-cu12 12.1.105 pdm.termui: nvidia-cudnn-cu12 8.9.2.26 pdm.termui: nvidia-cufft-cu12 11.0.2.54 pdm.termui: nvidia-curand-cu12 10.3.2.106 pdm.termui: nvidia-cusolver-cu12 11.4.5.107 pdm.termui: nvidia-cusparse-cu12 12.1.0.106 pdm.termui: nvidia-nccl-cu12 2.20.5 pdm.termui: nvidia-nvtx-cu12 12.1.105 pdm.termui: triton 2.3.0 pdm.termui: numpy 2.0.0 pdm.termui: async-timeout 4.0.3 pdm.termui: huggingface-hub 0.23.4 pdm.termui: mkl 2021.4.0 pdm.termui: intel-openmp 2021.4.0 pdm.termui: tbb 2021.13.0 pdm.termui: multidict 6.0.5 pdm.termui: packaging 24.1 pdm.termui: tokenizers 0.19.1 pdm.termui: typing-extensions 4.12.2 pdm.termui: yarl 1.9.4 pdm.termui: aiosignal 1.3.1 pdm.termui: frozenlist 1.4.1 pdm.termui: attrs 23.2.0 pdm.termui: cffi 1.16.0 pdm.termui: fsspec 2024.6.0 pdm.termui: kornia-rs 0.1.3 pdm.termui: regex 2024.5.15 pdm.termui: trampoline 0.1.2 pdm.termui: colorama 0.4.6 pdm.termui: filelock 3.15.3 pdm.termui: jinja2 3.1.4 pdm.termui: networkx 3.2.1 pdm.termui: requests 2.32.3 pdm.termui: sympy 1.12.1 pdm.termui: idna 3.7 pdm.termui: charset-normalizer 3.3.2 pdm.termui: mpmath 1.3.0 pdm.termui: urllib3 2.2.2 pdm.termui: certifi 2024.6.2 pdm.termui: markupsafe 2.1.5 pdm.termui: nvidia-nvjitlink-cu12 12.5.40 pdm.termui: pycparser 2.22 STATUS: Fetching hashes for resolved packages... unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/kornia/: Client Error(403): Forbidden pdm.termui: Fetching hashes for kornia@0.7.2 pdm.termui: Fetching hashes for torch@2.3.0+cu121 unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/safetensors/: Client Error(403): Forbidden unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/pyyaml/: Client Error(403): Forbidden pdm.termui: Fetching hashes for pyyaml@6.0.1 pdm.termui: Fetching hashes for safetensors@0.4.3 unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/transformers/: Client Error(403): Forbidden pdm.termui: Fetching hashes for transformers@4.41.2 unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/aiohttp/: Client Error(403): Forbidden unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/torchsde/: Client Error(403): Forbidden pdm.termui: Fetching hashes for torchsde@0.2.6 unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/spandrel/: Client Error(403): Forbidden pdm.termui: Fetching hashes for spandrel@0.3.4 pdm.termui: Fetching hashes for tqdm@4.66.4 unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/einops/: Client Error(403): Forbidden pdm.termui: Fetching hashes for einops@0.8.0 unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/soundfile/: Client Error(403): Forbidden pdm.termui: Fetching hashes for soundfile@0.12.1 unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/scipy/: Client Error(403): Forbidden unearth.collector: Failed to collect links from https://download.pytorch.org/whl/cu121/psutil/: Client Error(403): Forbidden pdm.termui: Fetching hashes for scipy@1.13.1 pdm.termui: Fetching hashes for torchaudio@2.3.0+cu121 pdm.termui: Fetching hashes for psutil@6.0.0 pdm.termui: Fetching hashes for torchvision@0.18.0+cu121 pdm.termui: Fetching hashes for aiohttp@3.9.5 pdm.termui: Fetching hashes for pillow@10.3.0 🔒 Lock successful STATUS: Resolving packages from lockfile... All packages are synced to date, nothing to do. ```

While I cannot specify a more flexible version selector in pyproject.toml when using a local identifier, pdm outdated is able to resolve the newer version. Perhaps pdm update --outdated could better communicate this restraint, similar to how networkx is logged as unable to upgrade to the newer version?

NOTE: I haven't yet tried without the local identifier, which might resolve to the index just fine (_this is documented as a caveat in behaviour difference between pip and uv FWIW, so I chose to be more explicit_).

Actual behavior

pdm update only communicates why some packages fail to update to their latest version (as resolved/displayed via pdm outdated).

Expected behavior

pdm update --update-all (and similar commands) could better communicate other packages failing to resolve to the latest version that pdm outdated resolves.

That would improve the UX a bit, without having to run pdm update with --verbose to scan through the mismatch in expectations.

Alternatively, perhaps the python version incompatibility logged for why the networkx package wasn't updated could be hidden too. I think it was still helpful to see during pdm install / pdm add.

Environment Information

# Paste the output of `pdm info && pdm info --env` below:

$ pdm info
PDM version:
  2.15.4
Python Interpreter:
  /app/.venv/bin/python (3.12)
Project Root:
  /app
Local Packages:

$ pdm info --env
{
  "implementation_name": "cpython",
  "implementation_version": "3.12.2",
  "os_name": "posix",
  "platform_machine": "x86_64",
  "platform_release": "5.15.123.1-microsoft-standard-WSL2",
  "platform_system": "Linux",
  "platform_version": "#1 SMP Mon Aug 7 19:01:48 UTC 2023",
  "python_full_version": "3.12.2",
  "platform_python_implementation": "CPython",
  "python_version": "3.12",
  "sys_platform": "linux"
}

Additional Details

It's also a bit unclear why pdm outdated (and pdm update --verbose) were trying to query the PyTorch index for packages not explicitly included for that index in the pyproject.toml?:

Failed to collect links from https://download.pytorch.org/whl/cu121/kornia-rs/: Client Error(403): Forbidden

Reading the docs for this feature, this seems to be conveyed by the exclusion field. I guess my expectation was that the source would have been exclusive to the explicitly included packages, but that does not seem to be supported.

It seems that the source/index order can be partially fixed](https://pdm-project.org/en/latest/usage/config/#respect-the-order-of-the-sources), but it is unclear from those docs if the default/fallback to PyPi would have higher precedence than my explicitly configured source? I assume it'll prefer the PyTorch source I have in pyproject.toml.

One concern I've heard of with past vulnerabilities was someone publishing a package on an index to have that resolved instead of from your intended index for that package. I've heard with pip it is a race condition on which index would be used, while with uv it respected the index order.

polarathene commented 2 months ago

UPDATE: I added the mentioned respect-source-order = true setting to pyproject.toml. pdm outdated no longer appears to try querying the PyTorch source for other packages. But this also seems to affect the torch packages as no +cu121 local identifier suffix is present in latest anymore:

# `respect-source-order = false`
│ torch                    │ 2.3.0+cu121  │ 2.3.0+cu121 │ 2.3.1+cu121  │
│ torchaudio               │ 2.3.0+cu121  │ 2.3.0       │ 2.3.1+cu121  │
│ torchvision              │ 0.18.0+cu121 │ 0.18.0      │ 0.18.1+cu121 │
╰──────────────────────────┴──────────────┴─────────────┴──────────────╯

#  `respect-source-order = true`
│ torch                    │ 2.3.0+cu121  │ 2.3.0+cu121 │ 2.3.1     │
│ torchaudio               │ 2.3.0+cu121  │ 2.3.0       │ 2.3.1     │
│ torchvision              │ 0.18.0+cu121 │ 0.18.0      │ 0.18.1    │
╰──────────────────────────┴──────────────┴─────────────┴───────────╯

If I update pyproject.toml to remove the local identifier for torch==2.3+cu121 to just be torch:

Running pdm update --update-all does update to 2.3.1+cu121 (respect-source-order = true is set).
However, pdm outdated still implies it's not the latest due to presumably resolving from incorrect index instead? (PyPi):

│ torch                    │ 2.3.1+cu121  │ 2.3.1      │ 2.3.1     │
│ torchaudio               │ 2.3.1+cu121  │ 2.3.1      │ 2.3.1     │
│ torchvision              │ 0.18.1+cu121 │ 0.18.1     │ 0.18.1    │
╰──────────────────────────┴──────────────┴────────────┴───────────╯

As for the implicit nvidia deps, AFAIK these are installing the ones from the PyTorch index with pdm install / pdm update commands, while pdm outdated is a bit misleading by reporting latest package versions from PyPi index instead of PyTorch?

So pdm update and pdm outdated seem to resolve/behave inconsistently in this situation..

Additionally, if using -u with pdm update (-u --> ignores == version pin and update to latest anyway), it seemed to strip the +cu121 suffix if present for the dep in pyproject.toml.

The linked docs entry does not mention it'll overwrite the pyproject.toml to update it (not only were version pins updated, but any package without one were assigned a >= pin). I don't have an issue with that behaviour, and assume it's somewhat configurable with --save-<strategy> 🤷‍♂️ Still might be worth raising awareness in the docs though 👍

frostming commented 2 months ago

pdm outdated never performs a resolution so it doesn't consider any constraints from the dependencies, as opposed to pdm update --dry-run/--outdated. They are different commands and their functionalities should not overlap.

I think it is well discussed in https://github.com/pdm-project/pdm/issues/358#issuecomment-1851580889 but yeah I didn't clarify it in the docs.

It's also a bit unclear why pdm outdated (and pdm update --verbose) were trying to query the PyTorch index for packages not explicitly included for that index in the pyproject.toml?:

We always try the package at <index_url>/<package_name> unless explicitly excluded by source.exclude config. That is to say, we never request <index_url> to fetch all available packages beforehand. We just try and fail with 404(or whatever the server returns)

pdm-project / pdm