fix: only consider package links for sdist and bdist_wheels (python-p…

…oetry#5767) Only follow and lock links for packages of type `sdist` or `bdist_wheel` in PyPi repository. Closes: python-poetry#3649 Closes: python-poetry#4903 (This is a port of python-poetry#3656.) (cherry picked from commit a38abcf)
radoering · Sep 7, 2022 · 0f385cb · 0f385cb
1 parent bdea683
commit 0f385cb
Show file tree

Hide file tree

Showing 3 changed files with 954 additions and 10 deletions.
diff --git a/src/poetry/repositories/pypi_repository.py b/src/poetry/repositories/pypi_repository.py
@@ -25,11 +25,12 @@
 
 logger = logging.getLogger(__name__)
 
-
 if TYPE_CHECKING:
     from packaging.utils import NormalizedName
     from poetry.core.semver.version_constraint import VersionConstraint
 
+SUPPORTED_PACKAGE_TYPES = {"sdist", "bdist_wheel"}
+
 
 class PyPiRepository(HTTPRepository):
     def __init__(
@@ -165,8 +166,9 @@ def find_links_for_package(self, package: Package) -> list[Link]:
 
         links = []
         for url in json_data["urls"]:
-            h = f"sha256={url['digests']['sha256']}"
-            links.append(Link(url["url"] + "#" + h, yanked=self._get_yanked(url)))
+            if url["packagetype"] in SUPPORTED_PACKAGE_TYPES:
+                h = f"sha256={url['digests']['sha256']}"
+                links.append(Link(url["url"] + "#" + h, yanked=self._get_yanked(url)))
 
         return links
 
@@ -201,12 +203,13 @@ def _get_release_info(
             version_info = []
 
         for file_info in version_info:
-            data.files.append(
-                {
-                    "file": file_info["filename"],
-                    "hash": "sha256:" + file_info["digests"]["sha256"],
-                }
-            )
+            if file_info["packagetype"] in SUPPORTED_PACKAGE_TYPES:
+                data.files.append(
+                    {
+                        "file": file_info["filename"],
+                        "hash": "sha256:" + file_info["digests"]["sha256"],
+                    }
+                )
 
         if self._fallback and data.requires_dist is None:
             self._log("No dependencies found, downloading archives", level="debug")
@@ -219,7 +222,7 @@ def _get_release_info(
             for url in json_data["urls"]:
                 # Only get sdist and wheels if they exist
                 dist_type = url["packagetype"]
-                if dist_type not in ["sdist", "bdist_wheel"]:
+                if dist_type not in SUPPORTED_PACKAGE_TYPES:
                     continue
 
                 urls[dist_type].append(url["url"])