Is it possible to remap source URLs in the lock file?

[stefanoborini]

• I have searched the issues of this repo and believe that this is not a duplicate.
• I have searched the documentation and believe that my question is not covered.

Issue

Where I work, developers use a .net address for our internal pypi with our packages. However, when it's time to use github actions, we externalise a different address ending in .com.

The problem occurs when developers create a lock file from the pyproject.toml. Naturally, the .net address will be added as a [package.source] in the lock file. Developers will be able to use the lock file to perform the installation, but the github action CI machine won't.

Is there a way to specify a remapping of a given source URL for a different user?

[abn]

As a workaround, you could use a mitm proxy setup or alternatively just run see over the lockfile in your build step. Both are not ideal however.

I'm not sure if supporting this feature makes a lot of sense as it feels like we are breaking the security model here. Then again, if hashes are present we shouldn't really care what sources we pick the files from.

You could also write a custom plugin that monkey patches poetry's poetry.util.authenticator.Authenicator.request method to rewrite the url.