-
Notifications
You must be signed in to change notification settings - Fork 994
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
not follow poetry's package source constraint #8414
Labels
T: bug 🐞
Something isn't working
Comments
lucemia
added a commit
to lucemia/dependabot-core
that referenced
this issue
Nov 16, 2023
lucemia
added a commit
to lucemia/dependabot-core
that referenced
this issue
Nov 17, 2023
lucemia
added a commit
to lucemia/dependabot-core
that referenced
this issue
Nov 24, 2023
lucemia
added a commit
to lucemia/dependabot-core
that referenced
this issue
Nov 24, 2023
deivid-rodriguez
pushed a commit
to lucemia/dependabot-core
that referenced
this issue
Nov 27, 2023
deivid-rodriguez
pushed a commit
that referenced
this issue
Nov 27, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Package ecosystem
poetry
Package manager version
1.6
Language version
python 3.10
Manifest location and content before the Dependabot update
I created a sample project here
https://github.com/lucemia/dependabot-source-constraint
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
which may cause dependency confusion attacks
https://python-poetry.org/docs/repositories/#package-source-constraint
Native package manager behavior
it won't try PYPI source because of package source constraint
Images of the diff or a link to the PR, issue, or logs
Currently dependabot will check PyPI source still
Smallest manifest that reproduces the issue
The text was updated successfully, but these errors were encountered: