dependabot updater still check poetry explicit source

[lucemia]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

poetry

Package manager version

poetry 1.6

Language version

python 3.10

Manifest location and content before the Dependabot update

/pyproject.toml and /poetry.lock

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "pip" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"
    open-pull-requests-limit: 5
    allow:
      - dependency-type: "all"
  - package-ecosystem: "docker" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"
    open-pull-requests-limit: 20

Updated dependency

No response

What you expected to see, versus what you actually saw

Poetry 1.5.0 introduced explicit package source
https://python-poetry.org/docs/repositories/#explicit-package-sources

If package sources are configured as explicit, these sources are only searched when a package configuration explicitly indicates that it should be found on this package source.

However, in latest dependabot, the updater will still check package against source marked as explicit. Which double the execution time.

updater | 2023/08/29 06:15:39 INFO <job_715108988> Checking if protobuf 3.20.3 needs updating
  proxy | 2023/08/29 06:15:39 [044] GET https://pypi.org:443/simple/protobuf/
  proxy | 2023/08/29 06:15:39 [044] 200 https://pypi.org:443/simple/protobuf/
  proxy | 2023/08/29 06:15:40 [046] GET https://[my private pypi]/pypi/protobuf/
  proxy | 2023/08/29 06:15:40 [046] 404 https://[my private pypi]/pypi/protobuf/

Native package manager behavior

will not check protobuf against my private pypi

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[deivid-rodriguez]

Thanks for reporting!

Yes, it sounds like we could do some extra filtering over Dependabot::Python::UpdateChecker::IndexFinder#index_urls using this information. Maybe optionally pass it a dependency, and exclude any urls from the result that are marked as "explicit" and are not explicitly configured for the dependency.

Happy to review a PR implementing this!

[lucemia]

Sure, I'll give it a shot, but I don't have much experience with Ruby.

[lucemia]

Note:

I've observed that the recent Dependabot update retains the "explicit" source at the beginning, but after this line, Dependabot appears to forget about the explicit setting once more.

updater | 2023/11/10 19:38:44 INFO <job_748206401> Requirements to unlock own

[lucemia]

@deivid-rodriguez

• I've submitted a PR Respect poetry explicit source #8371 to address this issue.
• Please inform me if there are any problems. This is my first time writing Ruby code

[deivid-rodriguez]

Awesome, thanks so much for persisting on this @lucemia, I will get to your PR as soon as possible!