not follow poetry's package source constraint

[lucemia]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

poetry

Package manager version

1.6

Language version

python 3.10

Manifest location and content before the Dependabot update

I created a sample project here

https://github.com/lucemia/dependabot-source-constraint

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

• it is a follow up issues: Respect poetry explicit source #8371
• currently dependabot won't follow poetry package source constraint
• If a package specifies a source, it should not check other sources. Currently all sources will still be considered

A repository that is configured to be the only source for retrieving a certain package can itself have any priority. In particular, it does not need to have priority "explicit". If a repository is configured to be the source of a package, it will be the only source that is considered for that package and the repository priority will have no effect on the resolution.

which may cause dependency confusion attacks

Package source constraints are strongly suggested for all packages that are expected to be provided only by one specific source to avoid dependency confusion attacks.

https://python-poetry.org/docs/repositories/#package-source-constraint

Native package manager behavior

it won't try PYPI source because of package source constraint

(pythonprojects-py3.11) ➜  dependabot-source-constraint git:(main) poetry install -vvv
Adding repository custom (https://some.internal.registry.com/pypi) and setting it as primary
Warning: In a future version of Poetry, PyPI will be disabled automatically if at least one custom primary source is configured. In order to avoid a breaking change and make your pyproject.toml forward compatible, add PyPI explicitly via 'poetry source add pypi'. By the way, this has the advantage that you can set the priority of PyPI as with any other source.
Using virtualenv: /Users/davidchen/repo/dependabot-source-constraint/.venv
Updating dependencies
Resolving dependencies...
   1: fact: pythonprojects is 2.0.0
   1: derived: pythonprojects
   1: fact: pythonprojects depends on requests (2.18.0)
   1: selecting pythonprojects (2.0.0)
   1: derived: requests (==2.18.0)
[keyring.backend] Loading KWallet
[keyring.backend] Loading SecretService
[keyring.backend] Loading Windows
[keyring.backend] Loading chainer
[keyring.backend] Loading libsecret
[keyring.backend] Loading macOS
[keyring.backend] Loading Google Auth
Creating new session for some.internal.registry.com
[urllib3.connectionpool] Starting new HTTPS connection (1): some.internal.registry.com:443
Retrying HTTP request in 0.5 seconds.
[urllib3.connectionpool] Starting new HTTPS connection (2): some.internal.registry.com:443
Retrying HTTP request in 1.0 seconds.
[urllib3.connectionpool] Starting new HTTPS connection (3): some.internal.registry.com:443
Retrying HTTP request in 1.5 seconds.
[urllib3.connectionpool] Starting new HTTPS connection (4): some.internal.registry.com:443
Retrying HTTP request in 2.0 seconds.
[urllib3.connectionpool] Starting new HTTPS connection (5): some.internal.registry.com:443
Retrying HTTP request in 2.5 seconds.
[urllib3.connectionpool] Starting new HTTPS connection (6): some.internal.registry.com:443
   1: Version solving took 10.088 seconds.
   1: Tried 1 solutions.

  Stack trace:

Images of the diff or a link to the PR, issue, or logs

Currently dependabot will check PyPI source still

[dependabot-core-dev] ~ $ ./bin/dry-run.rb pip lucemia/dependabot-source-constraint --cache=files 
=> reading cloned repo from /home/dependabot/tmp/lucemia/dependabot-source-constraint
=> parsing dependency files
=> updating 1 dependencies: requests

=== requests ()
 => checking for updates 1/1
🌍 --> GET https://pypi.org/simple/requests/
🌍 <-- 200 https://pypi.org/simple/requests/
🌍 --> GET https://some.internal.registry.com/pypi/requests/
 => handled error whilst updating requests: private_source_timed_out {:source=>"https://some.internal.registry.com/pypi/"}
🌍 Total requests made: '2'
🎈 Ecosystem Versions log: {:languages=>{:python=>{"raw"=>"^3.7", "max"=>"3.11"}}}

Smallest manifest that reproduces the issue

[tool.poetry]
name = "PythonProjects"
version = "2.0.0"
homepage = "https://github.com/roghu/py3_projects"
license = "MIT"
readme = "README.md"
authors = ["Dependabot <support@dependabot.com>"]
description = "Various small python projects."

[tool.poetry.dependencies]
python = "^3.7"
requests = { version = "2.18.0", source = "custom" }

[[tool.poetry.source]]
name = "custom"
url = "https://some.internal.registry.com/pypi/"

[lucemia]

I already worked on this issue, but it needs some common code from #8371 . so probably will open PR after #8371 merged