Requirements from underscored extras are accidentally included as package dependencies

[adaamz]

Hello,
I would like to ask/report one issue with uv pip compile when using "private" extras (underscored extras).

It happens on new uv 0.3.0 and also the previous one 0.2.37 on linux mint with python 3.9 in venv.

My humble tip that causing this issue is that our-internal-package has some underscored extra _sqlalchemy that the metadata parser just skips and takes all _sqlalchemy's dependencies as the base deps for the package (because it was parsing the section before):

Requires-Dist: python-dateutil >=2.6.1
Requires-Dist: pyyaml >=3.12
Provides-Extra: _sqlalchemy    <!---- this line probably gets ignored
Requires-Dist: sqlalchemy <=1.4.31,>=1.3.18 ; extra == '_sqlalchemy'
Requires-Dist: zope.sqlalchemy >=1.0 ; extra == '_sqlalchemy'

METADATA taken from wheel of our-internal-package

Metadata-Version: 3.1
Name: our-internal-package
Version: 4.1.0
Summary: xxx
Home-page: https://gitlab.hidden.com/group/our-internal-pacakge
Author: we
Author-email: our@email.com
License: UNKNOWN
Platform: UNKNOWN
Classifier: Private :: Do Not Upload
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
Requires-Python: >=3.9
Description-Content-Type: text/markdown
Requires-Dist: python-dateutil >=2.6.1
Requires-Dist: pyyaml >=3.12
Provides-Extra: _sqlalchemy
Requires-Dist: sqlalchemy <=1.4.31,>=1.3.18 ; extra == '_sqlalchemy'
Requires-Dist: zope.sqlalchemy >=1.0 ; extra == '_sqlalchemy'
Provides-Extra: config
Requires-Dist: jsonschema >=2.6.0 ; extra == 'config'
Provides-Extra: encryption
Requires-Dist: pycryptodome ; extra == 'encryption'
Provides-Extra: fastapi
Requires-Dist: fastapi ; extra == 'fastapi'
Provides-Extra: injector
Requires-Dist: sphinxcontrib-napoleon >=0.6.1 ; extra == 'injector'
Provides-Extra: logutils
Requires-Dist: transaction >=2.2.1 ; extra == 'logutils'
Requires-Dist: flask >=1.0.1 ; extra == 'logutils'
Requires-Dist: pyyaml >=3.12 ; extra == 'logutils'
Requires-Dist: opentracing-instrumentation >=2.4.1 ; extra == 'logutils'

requirements.in for our app

--extra-index-url https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple
our-internal-package[encryption]

generated requrements.txt

# This file was autogenerated by uv via the following command:
#    uv pip compile requirements.in -o requirements.txt --no-cache
greenlet==3.0.3
    # via sqlalchemy
our-internal-package==4.1.0
    # via -r requirements.in
packaging==24.1
    # via zope-sqlalchemy
pycryptodome==3.20.0
    # via our-internal-package
python-dateutil==2.9.0.post0
    # via our-internal-package
pyyaml==6.0.2
    # via our-internal-package
setuptools==73.0.1
    # via
    #   zope-interface
    #   zope-sqlalchemy
six==1.16.0
    # via python-dateutil
sqlalchemy==1.4.31
    # via
    #   our-internal-package
    #   zope-sqlalchemy
transaction==4.0
    # via zope-sqlalchemy
zope-interface==7.0.1
    # via
    #   transaction
    #   zope-sqlalchemy
zope-sqlalchemy==3.1
    # via our-internal-package

verbose logs with removed warnings about skipping files

DEBUG uv 0.2.37
DEBUG Starting Python discovery for any Python
DEBUG Looking for exact match for request any Python
DEBUG Searching for Python interpreter in system path
DEBUG Found `cpython-3.9.13-linux-x86_64-gnu` at `/xxx/.direnv/python-3.9.13/bin/python3` (active virtual environment)
DEBUG Using Python 3.9.13 interpreter at /xxx/.direnv/python-3.9.13/bin/python3 for builds
DEBUG Using request timeout of 30s
DEBUG Solving with installed Python version: 3.9.13
DEBUG Adding direct dependency: our-internal-package*
DEBUG Adding direct dependency: our-internal-package[encryption]*
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/our-internal-package/
DEBUG Checking netrc for credentials for https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/our-internal-package/
DEBUG Found credentials in netrc file for https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/our-internal-package/
DEBUG Searching for a compatible version of our-internal-package[encryption] (*)
DEBUG Selecting: our-internal-package==4.1.0 [preference] (our_internal_package-4.1.0-py3-none-any.whl)
DEBUG Adding transitive dependency for our-internal-package==4.1.0: our-internal-package==4.1.0
DEBUG Adding transitive dependency for our-internal-package==4.1.0: our-internal-package[encryption]==4.1.0
DEBUG Searching for a compatible version of our-internal-package (==4.1.0)
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/files/e08f3cf9386c46b36a0a5f74b44594d168ec51181b9df4bc7458b615acad4172/our_internal_package-4.1.0-py3-none-any.whl#sha256=e08f3cf9386c46b36a0a5f74b44594d168ec51181b9df4bc7458b615acad4172
DEBUG Selecting: our-internal-package==4.1.0 [preference] (our_internal_package-4.1.0-py3-none-any.whl)
DEBUG Adding transitive dependency for our-internal-package==4.1.0: python-dateutil>=2.6.1
DEBUG Adding transitive dependency for our-internal-package==4.1.0: pyyaml>=3.12
DEBUG Adding transitive dependency for our-internal-package==4.1.0: sqlalchemy>=1.3.18, <=1.4.31
DEBUG Adding transitive dependency for our-internal-package==4.1.0: zope-sqlalchemy>=1.0
DEBUG Searching for a compatible version of our-internal-package[encryption] (==4.1.0)
DEBUG Selecting: our-internal-package==4.1.0 [preference] (our_internal_package-4.1.0-py3-none-any.whl)
DEBUG Adding transitive dependency for our-internal-package==4.1.0: pycryptodome*
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/python-dateutil/
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/pyyaml/
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/sqlalchemy/
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/zope-sqlalchemy/
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/pycryptodome/
DEBUG Searching for a compatible version of python-dateutil (>=2.6.1)
DEBUG Selecting: python-dateutil==2.9.0.post0 [preference] (python_dateutil-2.9.0.post0-py2.py3-none-any.whl)
DEBUG No cache entry for: https://files.pythonhosted.org/packages/ec/57/56b9bcc3c9c6a792fcbaf139543cee77261f3651ca9da0c93f5c1221264b/python_dateutil-2.9.0.post0-py2.py3-none-any.whl.metadata
DEBUG No cache entry for: https://files.pythonhosted.org/packages/af/20/5f29ec45462360e7f61e8688af9fe4a0afae057edfabdada662e11bf97e7/pycryptodome-3.20.0-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata
DEBUG No cache entry for: https://files.pythonhosted.org/packages/86/36/875db361ce975a226456388f3bc0f060db95191b7b011025c8c97d3888c5/zope.sqlalchemy-3.1-py3-none-any.whl.metadata
DEBUG Adding transitive dependency for python-dateutil==2.9.0.post0: six>=1.5
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/six/
DEBUG Searching for a compatible version of pyyaml (>=3.12)
DEBUG Selecting: pyyaml==6.0.2 [preference] (PyYAML-6.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl)
DEBUG No cache entry for: https://files.pythonhosted.org/packages/54/2a/f247980111202ef39d7d3b3fb5591c6e5af4a351d36d9440a799ceacb1ca/SQLAlchemy-1.4.31-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata
DEBUG No cache entry for: https://files.pythonhosted.org/packages/3d/32/e7bd8535d22ea2874cef6a81021ba019474ace0d13a4819c2a4bce79bd6a/PyYAML-6.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata
DEBUG Searching for a compatible version of sqlalchemy (>=1.3.18, <=1.4.31)
DEBUG Selecting: sqlalchemy==1.4.31 [preference] (SQLAlchemy-1.4.31-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl)
DEBUG Adding transitive dependency for sqlalchemy==1.4.31: greenlet{(python_full_version >= '3' and platform_machine == 'AMD64') or (python_full_version >= '3' and platform_machine == 'WIN32') or (python_full_version >= '3' and platform_machine == 'aarch64') or (python_full_version >= '3' and platform_machine == 'amd64') or (python_full_version >= '3' and platform_machine == 'ppc64le') or (python_full_version >= '3' and platform_machine == 'win32') or (python_full_version >= '3' and platform_machine == 'x86_64')}<0.4.17 | >0.4.17
DEBUG Searching for a compatible version of zope-sqlalchemy (>=1.0)
DEBUG Selecting: zope-sqlalchemy==3.1 [preference] (zope.sqlalchemy-3.1-py3-none-any.whl)
DEBUG Adding transitive dependency for zope-sqlalchemy==3.1: packaging*
DEBUG Adding transitive dependency for zope-sqlalchemy==3.1: setuptools*
DEBUG Adding transitive dependency for zope-sqlalchemy==3.1: sqlalchemy>=1.1, <1.4.0 | >1.4.0, <1.4.1 | >1.4.1, <1.4.2 | >1.4.2, <1.4.3 | >1.4.3, <1.4.4 | >1.4.4, <1.4.5 | >1.4.5, <1.4.6 | >1.4.6
DEBUG Adding transitive dependency for zope-sqlalchemy==3.1: transaction>=1.6.0
DEBUG Adding transitive dependency for zope-sqlalchemy==3.1: zope-interface>=3.6.0
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/greenlet/
DEBUG Searching for a compatible version of pycryptodome (*)
DEBUG Selecting: pycryptodome==3.20.0 [preference] (pycryptodome-3.20.0-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl)
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/setuptools/
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/packaging/
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/zope-interface/
DEBUG No cache entry for: https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple/transaction/
DEBUG Searching for a compatible version of six (>=1.5)
DEBUG Selecting: six==1.16.0 [preference] (six-1.16.0-py2.py3-none-any.whl)
DEBUG No cache entry for: https://files.pythonhosted.org/packages/d9/5a/e7c31adbe875f2abbb91bd84cf2dc52d792b5a01506781dbcf25c91daf11/six-1.16.0-py2.py3-none-any.whl.metadata
DEBUG No cache entry for: https://files.pythonhosted.org/packages/fa/42/0c8b2fdf178bfa0a4d79eddafa1cf2d8ff0686d266347efbfd65edf63708/transaction-4.0-py3-none-any.whl.metadata
DEBUG No cache entry for: https://files.pythonhosted.org/packages/08/aa/cc0199a5f0ad350994d660967a8efb233fe0416e4639146c089643407ce6/packaging-24.1-py3-none-any.whl.metadata
DEBUG No cache entry for: https://files.pythonhosted.org/packages/3e/13/960dcfb8845d3921408fc7c18e262e6a802ddf230af25ae756cce96f5e50/zope.interface-7.0.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata
DEBUG No cache entry for: https://files.pythonhosted.org/packages/07/6a/0270e295bf30c37567736b7fca10167640898214ff911273af37ddb95770/setuptools-73.0.1-py3-none-any.whl.metadata
DEBUG Searching for a compatible version of greenlet{(python_full_version >= '3' and platform_machine == 'AMD64') or (python_full_version >= '3' and platform_machine == 'WIN32') or (python_full_version >= '3' and platform_machine == 'aarch64') or (python_full_version >= '3' and platform_machine == 'amd64') or (python_full_version >= '3' and platform_machine == 'ppc64le') or (python_full_version >= '3' and platform_machine == 'win32') or (python_full_version >= '3' and platform_machine == 'x86_64')} (<0.4.17 | >0.4.17)
DEBUG Selecting: greenlet==3.0.3 [preference] (greenlet-3.0.3-cp39-cp39-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl)
DEBUG Adding transitive dependency for greenlet==3.0.3: greenlet==3.0.3
DEBUG Adding transitive dependency for greenlet==3.0.3: greenlet{(python_full_version >= '3' and platform_machine == 'AMD64') or (python_full_version >= '3' and platform_machine == 'WIN32') or (python_full_version >= '3' and platform_machine == 'aarch64') or (python_full_version >= '3' and platform_machine == 'amd64') or (python_full_version >= '3' and platform_machine == 'ppc64le') or (python_full_version >= '3' and platform_machine == 'win32') or (python_full_version >= '3' and platform_machine == 'x86_64')}==3.0.3
DEBUG Searching for a compatible version of greenlet{(python_full_version >= '3' and platform_machine == 'AMD64') or (python_full_version >= '3' and platform_machine == 'WIN32') or (python_full_version >= '3' and platform_machine == 'aarch64') or (python_full_version >= '3' and platform_machine == 'amd64') or (python_full_version >= '3' and platform_machine == 'ppc64le') or (python_full_version >= '3' and platform_machine == 'win32') or (python_full_version >= '3' and platform_machine == 'x86_64')} (==3.0.3)
DEBUG Selecting: greenlet==3.0.3 [preference] (greenlet-3.0.3-cp39-cp39-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl)
DEBUG No cache entry for: https://files.pythonhosted.org/packages/af/05/b7e068070a6c143f34dfcd7e9144684271b8067e310f6da68269580db1d8/greenlet-3.0.3-cp39-cp39-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl.metadata
DEBUG Searching for a compatible version of greenlet (==3.0.3)
DEBUG Selecting: greenlet==3.0.3 [preference] (greenlet-3.0.3-cp39-cp39-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl)
DEBUG Searching for a compatible version of packaging (*)
DEBUG Selecting: packaging==24.1 [preference] (packaging-24.1-py3-none-any.whl)
DEBUG Searching for a compatible version of setuptools (*)
DEBUG Selecting: setuptools==73.0.1 [preference] (setuptools-73.0.1-py3-none-any.whl)
DEBUG Searching for a compatible version of transaction (>=1.6.0)
DEBUG Selecting: transaction==4.0 [preference] (transaction-4.0-py3-none-any.whl)
DEBUG Adding transitive dependency for transaction==4.0: zope-interface*
DEBUG Searching for a compatible version of zope-interface (>=3.6.0)
DEBUG Selecting: zope-interface==7.0.1 [preference] (zope.interface-7.0.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl)
DEBUG Adding transitive dependency for zope-interface==7.0.1: setuptools*
DEBUG Tried 12 versions: greenlet 1, packaging 1, pycryptodome 1, python-dateutil 1, pyyaml 1, setuptools 1, six 1, sqlalchemy 1, our-internal-package 1, transaction 1, zope-interface 1, zope-sqlalchemy 1
DEBUG Split specific environment resolution took 1.735s

edit 2024-08-21: enclosed uv logs to code block for better readability

[zanieb]

Thanks for the report. Do you know if that's standards compliant? (I kind of presume not)

[adaamz]

@zanieb I suppose it is not standard: https://packaging.python.org/en/latest/specifications/core-metadata/#provides-extra-multiple-use

Maybe the whole section can be ignored instead of that one line? pip-compile just ignores whole requires section of this underscored extras.

Do you think there is any other way how to add marker/anchor/fragment for dependencies?

e.g. our setup.cfg looks something like this

[options]
packages = find_namespace:
package_dir = = src
include_package_data = true
python_requires = >= 3.9
install_requires =
    python-dateutil>=2.6.1
    pyyaml>=3.12

[options.packages.find]
where = src

[options.extras_require]
common =
    %(_sqlalchemy)s
    %(config)s

db =
    %(_sqlalchemy)s


_sqlalchemy =
    sqlalchemy>=1.3.18,<=1.4.31
    zope.sqlalchemy>=1.0

config =
    jsonschema>=2.6.0

We don't want to expose the _sqlalchemy to the public (but if it's the only way... we can use it) and we want to use this fragment in other extras as reference.

[zanieb]

Interesting. Thanks for the details. We'll need to chat about this as a team.

[zanieb]

If a value would be invalid following the rules for Name: in any core metadata version, the user SHOULD be warned and the value ignored to avoid ambiguity. Tools MAY choose to raise an error when reading an invalid name for older metadata versions.

Hm. "ignored" is kind of ambiguous.

[zanieb]

Does this happen with the latest version of pip-tools / pip?

[adaamz]

@zanieb Yes, we use pip-compile latest version currently and we are trying to switch to uv pip compile 🙂

(python-3.9.13) adam@adpc:~/xxx/test_minimal$ pip-compile --version
pip-compile, version 7.4.1
(python-3.9.13) adam@adpc:~/xxx/test_minimal$ pip-compile requirements.in
WARNING: --strip-extras is becoming the default in version 8.0.0. To silence this warning, either use --strip-extras to opt into the new default or use --no-strip-extras to retain the existing behavior.
#
# This file is autogenerated by pip-compile with Python 3.9
# by the following command:
#
#    pip-compile requirements.in
#
--extra-index-url https://gitlab.hidden.com/api/v4/groups/7/-/packages/pypi/simple

our-internal-package[encryption]==4.1.0
    # via -r requirements.in
pycryptodome==3.20.0
    # via tm-pythonlib
python-dateutil==2.9.0.post0
    # via tm-pythonlib
pyyaml==6.0.2
    # via tm-pythonlib
six==1.16.0
    # via python-dateutil

[charliermarsh]

Just confirming that this a bug on our end.

[charliermarsh]

Well, I guess it's a bit nuanced. Those are technically invalid extra names, and so the spec says we "should" ignore them (per @zanieb's comment above), which just means those dependencies should never be enabled.

[charliermarsh]

But normalizing the _sqlalchemy extra to sqlalchemy is a bug.

[adaamz]

@charliermarsh I think it is not normalizing.

In our-internal-package there is extras with name _sqlalchemy that has these requirements:

    sqlalchemy>=1.3.18,<=1.4.31
    zope.sqlalchemy>=1.0

and they get it into main requirements of the package - next to these

install_requires =
    python-dateutil>=2.6.1
    pyyaml>=3.12

The wheel file I attached brings me some idea how the uv gets the dependencies (from the METADATA file), but maybe i'm completely wrong there 🙂

[charliermarsh]

To clarify, you want sqlalchemy not to be installed, right?

You should try running with uv pip compile --no-strip-extras to visualize the extras that are being attached.

[adaamz]

Yes, for this case sqlalchemy shouldn't be installed because any extras with sqlalchemy is not required (even _sqlalchemy itself).

# This file was autogenerated by uv via the following command:
#    uv pip compile --no-strip-extras requirements.in -o requirements.txt
greenlet==3.0.3
    # via sqlalchemy
our-internal-package[encryption]==4.1.0
    # via -r requirements.in
packaging==24.1
    # via zope-sqlalchemy
pycryptodome==3.20.0
    # via our-internal-package
python-dateutil==2.9.0.post0
    # via our-internal-package
pyyaml==6.0.2
    # via our-internal-package
setuptools==73.0.1
    # via
    #   zope-interface
    #   zope-sqlalchemy
six==1.16.0
    # via python-dateutil
sqlalchemy==1.4.31
    # via
    #   our-internal-package
    #   zope-sqlalchemy
transaction==4.0
    # via zope-sqlalchemy
zope-interface==7.0.1
    # via
    #   transaction
    #   zope-sqlalchemy
zope-sqlalchemy==3.1
    # via our-internal-package

[charliermarsh]

Is there any way you can create a small reproduction that I can run locally?

[adaamz]

I created simple local package via setup.py, used it in requirements.in and also attached output of uv (requirements_uv.txt) and pip-compile (requirements.txt).

test_minimal.zip

[charliermarsh]

Awesome, thanks so much.

[notatallshaw]

Looking at the minimal example, I guess this is a bug in uv because uv is resolving for an extra that was never requested?

But this concept of a "private" extra certainly isn't within the spec, it’s not clear to me if you are expecting any behaviour from pip / pip-tools / setuptools right now, but if it has an invalid name according to the spec, it might just break one day.

For "private" extras behaviour you could have in an somewhat officially supported way, one thing you can do is use a custom build hook (with Hatch or other backends) and specify which extras you want available for editable installs and which extras you want available for the published package, e.g. apache-airflow does this with their devel extras. Perhaps there’s even a backend that supports this out of the box (I’ve never gone looking sorry).

[charliermarsh]

Yeah I generally agree -- there's some uv bug here, but those extras are also not compliant.

[charliermarsh]

I think what's happening here is that we fail to parse _sqlalchemy since it's an invalid extra, and by default we then treat the marker extra == "_sqlalchemy" as true.

[charliermarsh]

I will try to invert that.

[notatallshaw]

I think assuming invalid markers are always true or always false has been considered before: #3681

But #5898 reverted it, it was reported in #6085 but that issue was fixed by specifically supporting in.

If I'm following all of these issues right.

[charliermarsh]

Yeah, I was gonna try just fixing this case of an invalid extra.

[charliermarsh]

Honestly it would be easier to do what setuptools does and cast it to sqlalchemy by stripping the leading _.

[notatallshaw]

You already do some "fix ups" to versions and requirements which don't conform to standards, for uv's use case of being drop in replacement, makes sense to do it for invalid extas 🙃