Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docs about package indices can be misleading. #1282

Open
stefanondisponibile opened this issue Feb 24, 2024 · 0 comments
Open

Docs about package indices can be misleading. #1282

stefanondisponibile opened this issue Feb 24, 2024 · 0 comments

Comments

@stefanondisponibile
Copy link

I was reading the documentation and I find this statement about package indexes could be misleading:

Here's an example of setting up the default environment to look at 2 private indices (using context formatting for authentication) before finally falling back to PyPI:

[tool.hatch.envs.default.env-vars]
PIP_INDEX_URL = "https://token:{env:GITLAB_API_TOKEN}@gitlab.com/api/v4/groups/<group1_path>/-/packages/pypi/simple/"
PIP_EXTRA_INDEX_URL = "https://token:{env:GITLAB_API_TOKEN}@gitlab.com/api/v4/groups/<group2_path>/-/packages/pypi/>simple/ https://pypi.org/simple/"

As far as I know this can be true, but one could be tricked into thinking that he could safely set the PIP_INDEX_URL to its private pypi repository and be safe from "dependency confusion" (some pip context, and uv). Is that correct or I am unaware of some extra hatch specific feature?

Poetry provides an interesting feature for sourcing dependencies to specific repositories, is this currently possible with hatch?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stefanondisponibile