New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency resolution using Azure Package Feed no longer operates correctly #9301
Comments
For those that don't want to read through the other issues, the fix is to make sure that both |
Just to confirm - this issue is fixed in 1.8.3, but present in 1.8.2? |
In Poetry 1.8.2, you have to make sure by yourself that a recent enough
In any case, you must clear your cache after experiencing this issue. |
TLDR of commands to run to fix:
|
Description
When using an Azure Package Feed, poetry's dependency resolution fails to find the appropriate dependencies.
Azure Package Feed (APF) essentially acts as a PyPi mirror, allowing you to install directly from the package feed (as if you're installing from PyPi) but then provides the ability to block downloads of certain packages as well as add private packages to the repository.
Therefore, a common setup when using an APF is to use the feed as your "primary" source:
When an install request reaches the APF, if the package hasn't already been used before, it will check PyPi for the package and copy it if it exists. The same is also true for new versions of packages.
Previously, the dependency resolution behaviour of PyPi and APF was identical. But now, more recent versions of certain packages no longer resolve correctly. Pydantic is maybe the best example of this.
Starting from Pydantic 2.7.0 (released 11/04/2024), poetry will no longer resolve the dependencies properly from an APF, but will correctly resolve them from PyPi. Example below:
Using APF as "primary"
Using PyPI as "primary"
I'm not sure exactly what's caused this - if we look in the package entry in APF, the requirements are being listed correctly, they're just not being picked up by poetry:
Workarounds
Theoretically, one could use PyPi as the primary and then the APF as the supplemental, but this fundamentally defeats the purpose of using the APF in the first instance. It also leaves you open to various attack vectors.
Poetry Installation Method
pip
Operating System
ubuntu-22.04
Poetry Version
1.7.1
Poetry Configuration
Python Sysconfig
No response
Example pyproject.toml
Poetry Runtime Logs
Loading configuration file /home/user/.config/pypoetry/config.toml Adding repository my-feed (https://pkgs.dev.azure.com/xxx/uuid/_packaging/my-python-feed/pypi/simple/) and setting it as primary Adding repository PyPI (https://pypi.org/simple/) and setting it as supplemental Resolving dependencies... 1: fact: example is 0.1.0 1: derived: example 1: fact: example depends on pydantic (2.7.0) 1: selecting example (0.1.0) 1: derived: example (==2.7.0) Source (my-feed): 1 packages found for pydantic 2.7.0 1: selecting pydantic (2.7.0) 1: Version solving took 0.004 seconds. 1: Tried 1 solutions. Resolution results: pydantic 2.7.0
The text was updated successfully, but these errors were encountered: