priority = "explicit"
. If you previously installed this plugin, you can uninstall it through poetry self remove poetry-private-repo-plugin
. The repository will be closed on July 1, 2023
This plugin injects an opinionated way of managing custom secondary
repositories until a better alternative is officially developed within Poetry (see python-poetry/poetry#6713).
Until the plugin is published on PyPI, you can install it as:
poetry self add git+https://github.com/BendingSpoons/poetry-private-repo-plugin.git#1.1.1
A typical company use case is having a private pypi repository where internal packages are hosted. There you want to make sure to fetch internal packages only while fetching public packages from PyPI. At the same time, you want to make sure that internal packages are fetched from the internal repository, avoiding dependency confusion attacks where one publishes a malicious library on PyPI with the same name of the internal one.
The way you would achieve this on Poetry is through secondary sources and source dependencies.
[[tool.poetry.source]]
name = "acme"
secondary = true
url = "https://acme.com/pypi/simple"
[tool.poetry.dependencies]
acme-lib = { version = "^5.0.0", source = "acme" }
pypi-lib = "^4.3.4"
While security is ensured (acme-lib
will be downloaded from the acme
repository only), your dependency resolution will get much slower. This is because Poetry will look for pypi-lib
on both repositories! As your number of dependencies grows, this will cause more and more friction.
The plugin performs a small monkeypatch of the internal RepositoryPool
class of Poetry, making sure that secondary sources are not queried if the default source (pypi in this case) returned at list one valid package. This ensures a good company setup while keeping dependency resolution blazing fast 🏃
Although the plugin should satisfy your security needs, you still have to remember settings the source
parameter for every internal package. Not only this can be tedious, but also error-prone. What happens if you forget setting the source
? Assuming no ongoing dependency confusion attack, nothing. The dependency will be resolved with the correct checksum and source and the determinism offered by the poetry.lock
will ensure that no future attack can affect your project. However, one could say that if you forget setting the source
while developing (aka changing dependencies with Poetry), you may still be part of an attack.
Although the chance of this happening is really one in a billion trillions, the plugin offers a set-and-forget way in case your internal dependencies follow some naming convention. That is, you can enfore that a dependency matching a given pattern will be downloaded from a given source
even if you forget adding that in the [tool.poetry.dependencies]
section.
# Any package that begins with "acme-" will be downloaded from the "acme" repository
[tool.poetry-private-repo-plugin.enforce-source]
"acme-*" = "acme"
# The specific dependency source has precedence over
[tool.poetry.dependencies]
# acme-lib1 will be downloaded from the "acme" repository
acme-lib1 = { version = "^5.0.0" }
# dependency-specific sources have higher priority over the project option, so
# acme-lib2 will be downloaded from the "acme-mirror" repository
acme-lib2 = { version = "^5.0.0", source = "acme-mirror" }