Remove new test

astral-sh · Sep 23, 2024 · b44e066 · b44e066
1 parent e3e4402
commit b44e066
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 61 deletions.
diff --git a/crates/uv-resolver/src/pubgrub/report.rs b/crates/uv-resolver/src/pubgrub/report.rs
@@ -857,7 +857,7 @@ pub(crate) enum PubGrubHint {
     },
     /// A package was available on an index, but not at the correct version, and at least one
     /// subsequent index was not queried. As such, a compatible version may be available on an
-    // one of the remaining indexes.
+    /// one of the remaining indexes.
     UncheckedIndex {
         package: PubGrubPackage,
         // excluded from `PartialEq` and `Hash`
@@ -1195,15 +1195,14 @@ impl std::fmt::Display for PubGrubHint {
             } => {
                 write!(
                     f,
-                    "{}{} `{}` was found on {}, but not at the requested version ({}). A compatible version may be available on a subsequent index (e.g., {}). If both indexes are equally trusted, use `{}` to consider all indexes that list `{}`.",
+                    "{}{} `{}` was found on {}, but not at the requested version ({}). A compatible version may be available on a subsequent index (e.g., {}). By default, uv will only consider versions that are published on the first index that contains a given package, to avoid dependency confusion attacks. If all indexes are equally trusted, use `{}` to consider all versions from all indexes, regardless of the order in which they were defined.",
                     "hint".bold().cyan(),
                     ":".bold(),
                     package,
                     found_index.cyan(),
                     PackageRange::compatibility(package, range, None).cyan(),
                     next_index.cyan(),
                     "--index-strategy unsafe-best-match".green(),
-                    package,
                 )
             }
         }

diff --git a/crates/uv/tests/pip_compile.rs b/crates/uv/tests/pip_compile.rs
@@ -10683,7 +10683,7 @@ fn compile_index_url_first_match() -> Result<()> {
       × No solution found when resolving dependencies:
       ╰─▶ Because there is no version of jinja2==3.1.0 and you require jinja2==3.1.0, we can conclude that your requirements are unsatisfiable.
 
-          hint: `jinja2` was found on https://download.pytorch.org/whl/cpu, but not at the requested version (jinja2==3.1.0). A compatible version may be available on a subsequent index (e.g., https://pypi.org/simple). If both indexes are equally trusted, use `--index-strategy unsafe-best-match` to consider all indexes that list `jinja2`.
+          hint: `jinja2` was found on https://download.pytorch.org/whl/cpu, but not at the requested version (jinja2==3.1.0). A compatible version may be available on a subsequent index (e.g., https://pypi.org/simple). By default, uv will only consider versions that are published on the first index that contains a given package, to avoid dependency confusion attacks. If all indexes are equally trusted, use `--index-strategy unsafe-best-match` to consider all versions from all indexes, regardless of the order in which they were defined.
     "###
     );
 
@@ -12384,60 +12384,3 @@ fn prune_unreachable() -> Result<()> {
 
     Ok(())
 }
-
-/// If a package may be available on multiple indexes, we should suggest using `--index-strategy
-/// unsafe-best-match` to consider all indexes.
-#[test]
-fn unsafe_index_error() -> Result<()> {
-    let context = TestContext::new("3.12");
-    let pyproject_toml = context.temp_dir.child("pyproject.toml");
-    pyproject_toml.write_str(
-        r#"[project]
-name = "project"
-requires-python = ">=3.12"
-dependencies = ["requests==2.32.3"]
-
-[tool.uv]
-extra-index-url = ["https://download.pytorch.org/whl/cu121"]
-"#,
-    )?;
-
-    uv_snapshot!(context.filters(), context.pip_compile()
-            .arg("pyproject.toml"), @r###"
-    success: false
-    exit_code: 1
-    ----- stdout -----
-
-    ----- stderr -----
-      × No solution found when resolving dependencies:
-      ╰─▶ Because there is no version of requests==2.32.3 and project depends on requests==2.32.3, we can conclude that your requirements are unsatisfiable.
-
-          hint: `requests` was found on https://download.pytorch.org/whl/cu121, but not at the requested version (requests==2.32.3). A compatible version may be available on a subsequent index (e.g., https://pypi.org/simple). If both indexes are equally trusted, use `--index-strategy unsafe-best-match` to consider all indexes that list `requests`.
-    "###
-    );
-
-    pyproject_toml.write_str(
-        r#"[project]
-name = "project"
-requires-python = ">=3.12"
-dependencies = ["requests==2.32.3"]
-
-[tool.uv]
-index-url = "https://download.pytorch.org/whl/cu121"
-"#,
-    )?;
-
-    uv_snapshot!(context.filters(), context.pip_compile()
-            .arg("pyproject.toml"), @r###"
-    success: false
-    exit_code: 1
-    ----- stdout -----
-
-    ----- stderr -----
-      × No solution found when resolving dependencies:
-      ╰─▶ Because there is no version of requests==2.32.3 and project depends on requests==2.32.3, we can conclude that your requirements are unsatisfiable.
-    "###
-    );
-
-    Ok(())
-}