problem of resolving nested dependencies with private repositories

[ct-jby]

• Poetry version: 1.4.1
• Python version: 3.11.1
• OS version and name: macOS 13.3.1
• pyproject.toml:

[tool.poetry]
name = "test"
version = "0.1.0"
description = "poetry issue - problem of resolving nested dependencies with private repositories"
authors = ["ct-jby"]
readme = "README.md"
packages = [{include = "test", from = "src"}]

[tool.poetry.dependencies]
python = "^3.11"
httpclient = { version="1.0.0", source = "private-libraries" }

[[tool.poetry.source]]
name = "private-libraries"
url = "https://my-gitlab.example.com/api/v4/groups/100/-/packages/pypi/simple"
default = false
secondary = true

[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"

• I am on the latest stable Poetry version, installed using a recommended method.
• I have searched the issues of this repo and believe that this is not a duplicate.
• I have consulted the FAQ and blog for any relevant entries or release notes.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

problem of resolving nested dependencies with private repositories

My current project has a private dependency on my gitlab and the httpclient dependency itself has a dependency on the same gitlab (logger 1.0.0)

When running the poetry install command, the logger 1.4.0 package from PyPi is installed instead of mine.

current project with my default non functional configuration

...
[tool.poetry.dependencies]
python = "^3.11"
httpclient = { version="1.0.0", source = "private-libraries" }

[[tool.poetry.source]]
name = "private-libraries"
url = "https://my-gitlab.example.com/api/v4/groups/100/-/packages/pypi/simple"
default = false
secondary = true
...

package httpclient project with my default non functional configuration

...
[tool.poetry.dependencies]
python = "^3.11"
logger = { version="1.0.0", source = "private-libraries" }

[[tool.poetry.source]]
name = "private-libraries"
url = "https://my-gitlab.example.com/api/v4/groups/100/-/packages/pypi/simple"
default = false
secondary = true
...

After rereading the poetry documentation I tried to set the 'secondary' parameter of the 'private-libraries' source to false on the 'httpclient' package and in my current project.

poetry documentation on this parameter (according to the documentation, this should have fixed the problem but it didn't):

https://python-poetry.org/docs/repositories/#default-package-source

current project with secondary parameter set to false

...
[tool.poetry.dependencies]
python = "^3.11"
httpclient = { version="1.0.0", source = "private-libraries" }

[[tool.poetry.source]]
name = "private-libraries"
url = "https://my-gitlab.example.com/api/v4/groups/100/-/packages/pypi/simple"
default = false
secondary = false
...

package httpclient project with secondary parameter set to false

...
[tool.poetry.dependencies]
python = "^3.11"
logger = { version="1.0.0", source = "private-libraries" }

[[tool.poetry.source]]
name = "private-libraries"
url = "https://my-gitlab.example.com/api/v4/groups/100/-/packages/pypi/simple"
default = false
secondary = false
...

I was able to solve the problem by setting this source to default in my current project and in the httpclient library, but the documentation specifies that setting a source to 'default', disables the default pypi source.

poetry documentation on this parameter:

https://python-poetry.org/docs/repositories/#default-package-source

Despite what the documentation says, the packages coming from pypi are well resolved and my packages even if they have the same name as a package coming from pypi are installed in priority.

So my private package logger 1.0.0 (dependence of the package httpclient) is well installed instead of the one from pypi.

This behavior is surprising and contrary to the configuration explained in the official documentation.

current project with private source as default (functional)

...
[tool.poetry.dependencies]
python = "^3.11"
httpclient = { version="1.0.0", source = "private-libraries" }

[[tool.poetry.source]]
name = "private-libraries"
url = "https://my-gitlab.example.com/api/v4/groups/100/-/packages/pypi/simple"
default = true
secondary = false
...

package httpclient project with private source as default (functional)

...
[tool.poetry.dependencies]
python = "^3.11"
logger = { version="1.0.0", source = "private-libraries" }

[[tool.poetry.source]]
name = "private-libraries"
url = "https://my-gitlab.example.com/api/v4/groups/100/-/packages/pypi/simple"
default = true
secondary = false
...

Is it a bug? Is the documentation correct?

Any help is welcome :)

[ct-jby]

PS: All the tests have been done both with local packages and on our gitlab and the different poetry caches have always been cleaned between each test.

[dimbleby]

1.4.0 is a more recent version of logger than 1.0.0 so will be preferred. If you want not to use pypi at all then setting default = true is exactly right, as the docs say and as you discovered.

Everything is behaving as expected here. (Also this stuff is changing anyway in the next release per #7658 and possibly more; so even if you had identified a bug there would be little value in worrying about it at this exact moment.)

Please close.

[ct-jby]

OK if it's because of the 'ˆ' that allows installation of a newer minor version i can understand.
On the other hand all the pypi dependencies should not be resolved because the default parameter of my private repository is set, I think it's a bug.

[dimbleby]

pretty sure you've misunderstood something, I use default non-pypi repositories all the time and this works exactly as expected.

Please provide a reproducible example if you believe you have found a bug, otherwise close this out.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.