Add note on private classifier #8783
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
As OP of #8214, this isn't what I was hoping for but I can understand your rationale and the constraints on |
It might be worth leaving #8214 open to explore the possibility of adding support for |
docs/guides/publish.md
Outdated
| ``` | ||
|
|
||
| We also recommend only generating per-project tokens: Without a PyPI token matching the project, | ||
| it can't be accidentally published. |
There was a problem hiding this comment.
I think this should just be at the bottom of this section, and not as a note. (Is it really the most important content?)
There was a problem hiding this comment.
The trouble with placing this section is that it's a negative advice, it's about not doing something rather than doing something. Users with private packages that don't get published at all aren't likely to read through the publish guide, but I haven't found a place they would come through either.
zanieb
reviewed
Nov 6, 2024
docs/guides/publish.md
Outdated
| @@ -62,6 +62,19 @@ parallel uploads. Note that existing files need to match exactly with those prev | |||
| the registry, this avoids accidentally publishing source distribution and wheels with different | |||
| contents for the same version. | |||
|
|
|||
| ## Private Packages | |||
There was a problem hiding this comment.
This doesn't quite make sense in the publishing guide, which is explicitly about how to publish your package. I guess I'll move towards having a publish concept document, but in the meantime, it can live here. It's a little awkward in the middle of this workflow, maybe it should be in Preparing your project for packaging as a !!! tip?
Could you add a sentence at the top of this section which explains what a private package is and why you'd want one?
There was a problem hiding this comment.
i moved it up again and changed word to "internal", that's self-explanatory.
I think it's obvious but I'll spell it out explicitly: If |
zanieb
reviewed
Nov 6, 2024
zanieb
reviewed
Nov 6, 2024
|
I defer to @zanieb entirely on the docs. Feel free to ignore my comments on that front. IMO it's okay to leave #8214 open. I can imagine other ways for us to solve this problem that don't require standards. For example, we could error when |
zanieb
reviewed
Nov 6, 2024
docs/guides/publish.md
Outdated
Comment on lines
26
to
28
| uv will still attempt to publish packages with the classifier, but PyPI will reject them. Note | ||
| that the private classifier is used against PyPI, but when using an alternative registry, | ||
| access to the uploaded packages needs to still be configured correctly. |
There was a problem hiding this comment.
I'm sorry to continue picking at this, but I'm earnestly confused by the language here. "is used against PyPI" doesn't quite make sense, the classifier is sent to all indexes and only PyPI is expected to act on it right? What does it mean to configure access to the uploaded packages on an alternative registry? I thought the goal here was to avoid upload and publish entirely — I'm confused that we're talking about access controls now.
|
Summary of the latest changes: I've shortened the explanation of |
konstin
force-pushed
the
konsti/private-project-note
branch
from
dee77b0 to
dcbbd76
Compare
zanieb
approved these changes
Nov 6, 2024
|
@zanieb @konstin Any chance to leave #8214 open as @charliermarsh mentioned for future exploration of a nicer UX around this? As of now "Fixes #8214" will close the issue. |
|
I am fine with further discussion on #8214, though I think we're in agreement that the clearest path forward is an improvement at the Python standards-level. |
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Nov 18, 2024
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | minor | `0.4.24` -> `0.5.2` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.5.2`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#052) [Compare Source](astral-sh/uv@0.5.1...0.5.2) ##### Enhancements - Hide `--no-system` from `uv pip tree` CLI ([#​9040](astral-sh/uv#9040)) - Allow configuration of Python and PyPy install mirrors in `uv.toml` ([#​8695](astral-sh/uv#8695)) - Allow passing Python download mirrors to `uv python install` ([#​8695](astral-sh/uv#8695)) - Add support for specifying conflicting extras and dependency groups ([#​8976](astral-sh/uv#8976), [#​9096](astral-sh/uv#9096)) - Consistent colon usage in build failure errors ([#​8994](astral-sh/uv#8994)) - Show full derivation chain when encountering build failures ([#​9108](astral-sh/uv#9108)) - Show link we failed on parsing index pages ([#​9118](astral-sh/uv#9118)) - Remove duplicate log when searching for interpreters ([#​9092](astral-sh/uv#9092)) - Update uv development status classifier to "Stable" on PyPI ([#​8943](astral-sh/uv#8943)) - Use rich diagnostic formatting for early build failures ([#​9041](astral-sh/uv#9041)) - Use rich diagnostic formatting for install failures ([#​9043](astral-sh/uv#9043)) ##### Performance - Avoid retraversing filesystem when testing exact glob matches ([#​9022](astral-sh/uv#9022)) ##### Bug fixes - Allow `--no-build` to validate lock ([#​9024](astral-sh/uv#9024)) - Allow default indexes to be marked as explicit ([#​8990](astral-sh/uv#8990)) - Avoid creating `.venv` in `uv add --frozen` and `uv add --no-sync` ([#​8980](astral-sh/uv#8980)) - Avoid duplicating first-entry comments in `uv add` ([#​9109](astral-sh/uv#9109)) - Defer reporting of build failures in resolver ([#​9098](astral-sh/uv#9098)) - Fix references to `--resolution-strategy` in error message output ([#​8971](astral-sh/uv#8971)) - Ignore virtual environments in parent directories when choosing Python version for new projects ([#​9075](astral-sh/uv#9075)) - Forward SIGTERM to child processes in `uv run` ([#​8933](astral-sh/uv#8933)) - Prefer Python executable names that match the request over default names ([#​9066](astral-sh/uv#9066)) - Prefer compatible to incompatible distributions when packages exist on multiple indexes ([#​8961](astral-sh/uv#8961)) - Publish: Ignore non-matching files ([#​8986](astral-sh/uv#8986)) - Revert `uv.lock` changes when `uv add` fails ([#​9030](astral-sh/uv#9030)) - Show file extensions on available commands when not `.exe` ([#​9099](astral-sh/uv#9099)) - Sort by name, then specifiers in `uv add` ([#​9097](astral-sh/uv#9097)) - Split after specifiers in `--with` requirements ([#​9089](astral-sh/uv#9089)) - Support multiple extras in universal pip compile output ([#​8960](astral-sh/uv#8960)) ##### Preview features - Build backend: Add tests for source tree -> source dist -> wheel conversions ([#​9091](astral-sh/uv#9091)) - Build backend: Switch to custom `glob-walkdir` implementation ([#​9013](astral-sh/uv#9013)) - Build backend: Add minimal wheel settings ([#​9085](astral-sh/uv#9085)) ##### Documentation - Add wget instructions for systems without curl ([#​8630](astral-sh/uv#8630)) - Fix `.env` file example in docs ([#​9064](astral-sh/uv#9064)) - Fix reference to `--resolution` in docs ([#​8968](astral-sh/uv#8968)) - Fix typo in GitLab integration docs ([#​9047](astral-sh/uv#9047)) - Update format of environment variable reference ([#​9018](astral-sh/uv#9018)) - Use Python syntax for `value_type` consistently ([#​9017](astral-sh/uv#9017)) - Use `[[index]]` API in configuration example ([#​9065](astral-sh/uv#9065)) - Mention how to use extras ([#​8972](astral-sh/uv#8972)) - Add some words about specifying conflicting extras/groups ([#​9120](astral-sh/uv#9120)) ### [`v0.5.1`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#051) [Compare Source](astral-sh/uv@0.5.0...0.5.1) ##### Enhancements - Allow installation of manylinux wheels on `riscv64` ([#​8934](astral-sh/uv#8934)) ##### Bug fixes - Build source distributions at top-level of cache ([#​8905](astral-sh/uv#8905)) - Allow non-registry dependencies in `uv pip list --outdated` ([#​8939](astral-sh/uv#8939)) - Compute superset of existing and required hashes when healing cache ([#​8955](astral-sh/uv#8955)) - Enable uv to replace and delete itself on Windows ([#​8914](astral-sh/uv#8914)) - Remove source distribution filename from cache ([#​8907](astral-sh/uv#8907)) - Respect `--index-url` in `uv pip list` ([#​8942](astral-sh/uv#8942)) - Respect comma-separated extras in `--with` ([#​8946](astral-sh/uv#8946)) ##### Documentation - Add uninstall note for previous versions ([#​8937](astral-sh/uv#8937)) - Remove some missed references to `~/.cargo/bin` ([#​8936](astral-sh/uv#8936)) - Split README's install code block into 3 ([#​8853](astral-sh/uv#8853)) ### [`v0.5.0`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#050) [Compare Source](astral-sh/uv@0.4.30...0.5.0) Since the launch of Python version, project, and tool management capabilities back in August, we've seen extraordinary adoption of uv. We've been iterating rapidly: adding new features, fixing bugs, and improving the user experience. Despite moving quickly, stability and compatibility have been a major focus — we've made thirty releases since our last breaking change. Consequently, we've accumulated various changes that improve correctness and user experience, but could break some workflows. This release contains those changes; many have been marked as breaking out of an abundance of caution. We expect most users to be able to upgrade without making changes. ##### Breaking - **Use base executable to set virtualenv Python path** ([#​8481](astral-sh/uv#8481)) Previously, uv canonicalized the path to the Python executable when setting the Python path in created virtual environments. This behavior had several undesirable effects: it would bypass stabilized version directories (as constructed by Homebrew) and it was not consistent with the Python standard library's behavior. Now, uv uses the `sys._base_executable` path. - **Use XDG (i.e. `~/.local/bin`) instead of the Cargo home directory in the installer** ([#​8420](astral-sh/uv#8420)) Previously, uv's installer used `$CARGO_HOME` or `~/.cargo/bin` for its target install directory. It's been a longstanding complaint that uv uses this directory, as there's no relationship to Cargo. Now, uv will be installed into `$XDG_BIN_HOME`, `$XDG_DATA_HOME/../bin`, or `~/.local/bin` (in that order). Note that `$UV_INSTALL_DIR` can always be used to override the target directory. - **Discover and respect `.python-version` files in parent directories** ([#​6370](astral-sh/uv#6370)) Previously, uv only read `.python-version` files from the working directory. Now, uv will check parent directories for `.python-version` files; however uv will not search for `.python-version` files beyond project boundaries. The new behavior is better aligned with that of `pyenv` and Rye. - **Error when disallowed settings are defined in `uv.toml`** ([#​8550](astral-sh/uv#8550)) Some settings can only be defined in the `pyproject.toml`. Previously, uv would ignore these settings when present in the `uv.toml`. Now, uv will error to avoid confusion about why the settings are not respected. - **Implement PEP 440-compliant local version semantics** ([#​8797](astral-sh/uv#8797)) Previously, uv's implementation of local versions (e.g. `2.0+cpu`) was not compliant with the specification due to the technical complexity of implementing the local version semantics in the PubGrub algorithm. Thanks to the work of [@​ericmarkmartin](https://github.com/ericmarkmartin), uv now has a spec-compliant implementation. Namely, uv will now allow a request for `torch==2.1.0` to install `[email protected]+cpu` regardless of whether `[email protected]` (without a local tag) actually exists. - **Treat the base Conda environment as a system environment** ([#​7691](astral-sh/uv#7691)) Previously, uv would not distinguish between the base and other Conda environments. Now, uv uses `CONDA_DEFAULT_ENV` and the names `base` and `default` to determine if an environment active via `CONDA_PREFIX` is the base environment. If the base environment is active, the `--system` flag must be used to mutate it. - **Do not allow pre-releases when the `!=` operator is used** ([#​7974](astral-sh/uv#7974)) Previously, uv would use the presence of a pre-release specifier in a version specifier as an opt-in to allow pre-release versions during resolution. The new behavior does not allow pre-releases when an inequals operator is used, e.g., `!= 2.0a1`. - **Prefer `USERPROFILE` over `FOLDERID_Profile` when selecting a home directory on Windows** ([#​8048](astral-sh/uv#8048)) This change is a side-effect of switching from the `directories` crate to `etcetera` for determining canonical system paths. If `USERPROFILE` is not set, the behavior will be unchanged. - **Improve interactions between color environment variables and CLI options** ([#​8215](astral-sh/uv#8215)) Previously, uv would respect the `FORCE_COLOR` and `NO_COLOR` environment variables over the `--color` flag. Now, when the `--color` flag is explicitly provided, uv will respect it over the environment variables. - **Make `allow-insecure-host` a global option** ([#​8476](astral-sh/uv#8476)) Previously, this option was only available in some parts of uv. Now, `--allow-insecure-host` can be provided to any command. For consistency, the `allow-insecure-host` setting has been removed from the `[tool.uv.pip]` configuration in favor of `[tool.uv]`. - **Only write `.python-version` files during `uv init` for workspace members if the version differs** ([#​8897](astral-sh/uv#8897)) Previously, uv would create a `.python-version` file for workspace members during `uv init`. Now, uv will only do so if the version differs from the `.python-version` file in the workspace root since uv will respect `.python-version` files in parent directories. ##### Enhancements - Add `uv tree --outdated` ([#​8893](astral-sh/uv#8893)) - Add armv8l alias for armv7l to support arm 32-bit compatibility mode ([#​8881](astral-sh/uv#8881)) - Add support for `pip list --outdated` ([#​8872](astral-sh/uv#8872)) - Allow semicolons directly after direct URLs ([#​8836](astral-sh/uv#8836)) - Enable support for arbitrary git transports ([#​8769](astral-sh/uv#8769)) - Improve Python discovery source messages ([#​8890](astral-sh/uv#8890)) - Show dedicated error for trailing `;` on URL and path requirements ([#​8835](astral-sh/uv#8835)) - Add progress bar for `uv cache clean` ([#​8857](astral-sh/uv#8857)) - Warn on failure to query system configuration file ([#​8829](astral-sh/uv#8829)) ##### Preview features - Add support for building basic source distributions with the experimental uv build backend ([#​8886](astral-sh/uv#8886)) ##### Bug fixes - Respect dynamic version updates in `uv lock` ([#​8867](astral-sh/uv#8867)) - Respect fork markers in `--resolution-mode=lowest-direct` ([#​8839](astral-sh/uv#8839)) ##### Documentation - Add further examples of git+https support ([#​8841](astral-sh/uv#8841)) - Add installer variables to environment reference ([#​8874](astral-sh/uv#8874)) - Add note on private classifier ([#​8783](astral-sh/uv#8783)) - Update pip-and-uv strictness example ([#​8822](astral-sh/uv#8822)) - Fix `uv python install` docs to use an existing PyPy version ([#​8845](astral-sh/uv#8845)) - Document how to mimic `--verbose` with `RUST_LOG` ([#​8858](astral-sh/uv#8858)) ### [`v0.4.30`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0430) [Compare Source](astral-sh/uv@0.4.29...0.4.30) ##### Enhancements - Add support for `.env` and custom env files in `uv run` ([#​8811](astral-sh/uv#8811)) - Add support for `--all-packages` in `uv run`, `uv sync`, and `uv export` ([#​8742](astral-sh/uv#8742), [#​8741](astral-sh/uv#8741), [#​8739](astral-sh/uv#8739)) - Allow use of `--frozen` with `--all-packages` in `uv sync` and `uv export` ([#​8760](astral-sh/uv#8760)) - Show full error chain on tool upgrade failures ([#​8753](astral-sh/uv#8753)) - Add `--check-url` to `uv publish` to check for existing distributions during upload ([#​8531](astral-sh/uv#8531)) - Suggest using `--check-url` when `--skip-existing` is used ([#​8803](astral-sh/uv#8803)) ##### Bug fixes - Allow incompatible `requires-python` for source distributions with static metadata ([#​8768](astral-sh/uv#8768)) - Allow managed downloads with `--python-preference system` ([#​8808](astral-sh/uv#8808)) - Avoid error for `--group` defined in non-root workspace member ([#​8734](astral-sh/uv#8734)) - Avoid showing dependency group annotations on workspace members in tree ([#​8730](astral-sh/uv#8730)) - Do not error when the Python bin directory is missing on `uv python uninstall` ([#​8725](astral-sh/uv#8725)) - Include member groups when locking workspace ([#​8736](astral-sh/uv#8736)) - Fix bug where `python_version < '0'` could appear in a final resolution ([#​8759](astral-sh/uv#8759)) - Sanitize filenames during zip extraction ([#​8732](astral-sh/uv#8732)) - Switch to RFC 9110 compatible format for exclude newer requests ([#​8752](astral-sh/uv#8752)) ##### Preview features - Add support for installing versioned Python executables on Windows ([#​8663](astral-sh/uv#8663)) - Improve interactions with existing Python executables during install ([#​8733](astral-sh/uv#8733)) ##### Rust API - Extend `BaseClient` to accept extra middleware ([#​8807](astral-sh/uv#8807)) - Add `From` for `FlatDistributions` struct ([#​8800](astral-sh/uv#8800)) ##### Documentation - Fix environment variable name in providing credentials section ([#​8740](astral-sh/uv#8740)) - Fix `add httpx` example with real git branch ([#​8756](astral-sh/uv#8756)) - Fix indentation in `projects.md` ([#​8772](astral-sh/uv#8772)) - Fix link to publish guide in `README` ([#​8720](astral-sh/uv#8720)) - Generate environment variables documentation from code ([#​8493](astral-sh/uv#8493)) - Improve and fix some documents ([#​8749](astral-sh/uv#8749)) - Improve environment variables document ([#​8777](astral-sh/uv#8777)) ### [`v0.4.29`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0429) [Compare Source](astral-sh/uv@0.4.28...0.4.29) ##### Enhancements - Sort errors during display in `uv python install` ([#​8684](astral-sh/uv#8684)) - Update resolver to use disjointness checks instead of marker equality ([#​8661](astral-sh/uv#8661)) - Add `riscv64` to supported Python platform tags ([#​8660](astral-sh/uv#8660)) ##### Bug fixes - Fix hard and soft float libc detection for managed Python distributions on ARM ([#​8498](astral-sh/uv#8498)) - Handle cycles in `uv pip tree` ([#​8689](astral-sh/uv#8689)) - Respect dependency group markers in `uv export` ([#​8659](astral-sh/uv#8659)) - Support transitive dependencies in Git workspaces ([#​8665](astral-sh/uv#8665)) - Use portable paths for subdirectories in lock URLs ([#​8707](astral-sh/uv#8707)) - Update `uv init --virtual` to imply `--no-package` ([#​8595](astral-sh/uv#8595)) ##### Preview - Install versioned Python executables into the bin directory during `uv python install` (Unix only) ([#​8458](astral-sh/uv#8458)) ##### Documentation - Clarify relationship between specifiers and `requires-python` range ([#​8688](astral-sh/uv#8688)) - Fix broken link in docs ([#​8552](astral-sh/uv#8552)) - Fix outdated documentation on `Requires-Python` ([#​8679](astral-sh/uv#8679)) - Add Google Artifact Registry index authentication guide ([#​8579](astral-sh/uv#8579)) ### [`v0.4.28`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0428) [Compare Source](astral-sh/uv@0.4.27...0.4.28) ##### Enhancements - Add support for requesting free-threaded builds via `+freethreaded` ([#​8645](astral-sh/uv#8645)) - Improve trusted publishing error messages ([#​8633](astral-sh/uv#8633)) - Remove unneeded `return` from Maturin project template ([#​8604](astral-sh/uv#8604)) - Skip Python interpreter discovery for `uv export` ([#​8638](astral-sh/uv#8638)) - Hint about missing trusted publishing permission ([#​8632](astral-sh/uv#8632)) ##### Configuration - Add environment variable to disable progress output ([#​8600](astral-sh/uv#8600)) ##### Bug fixes - Fork when minimum Python version increases ([#​8628](astral-sh/uv#8628)) - Ignore empty groups when validating lock ([#​8598](astral-sh/uv#8598)) - Remove duplicate word in error message ([#​8589](astral-sh/uv#8589)) - Support cyclic dependencies in `uv tree` ([#​8564](astral-sh/uv#8564)) - Update `uv init` to imply `--package` when using `--build-backend` ([#​8593](astral-sh/uv#8593)) - Restore use of `dev-dependencies` and `requires-dev` for lockfile compatibility ([#​8599](astral-sh/uv#8599)) ##### Documentation - Clarify `requires-python` requirement for dependencies ([#​8619](astral-sh/uv#8619)) - Update CLI documentation for `--cache-dir` ([#​8627](astral-sh/uv#8627)) ### [`v0.4.27`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0427) [Compare Source](astral-sh/uv@0.4.26...0.4.27) This release includes support for the `[dependency-groups]` table as recently standardized in [PEP 735](https://peps.python.org/pep-0735/). The table allows for declaration of optional dependency groups that are not published as part of the package metadata, unlike `[project.optional-dependencies]`. There are new `--group`, `--only-group`, and `--no-group` options throughout the uv interface. Previously, uv used a single `tool.uv.dev-dependencies` list for declaration of development dependencies. Now, uv supports declaring development dependencies in a standardized format and allows splitting development dependencies into multiple groups. For compatibility, and to simplify usage for people that do not need multiple groups, uv special-cases the group named `dev`. The `dev` group is equivalent to `tool.uv.dev-dependencies`. The contents of `tool.uv.dev-dependencies` will merged into the `dev` group in uv's resolver. The `--dev`, `--only-dev`, and `--no-dev` flags remain as aliases for the corresponding `--group` options. Support for `tool.uv.dev-dependencies` remains in this release, but will display warnings in a future release. uv syncs the `dev` group by default — this matches the exististing behavior for `tool.uv.dev-dependencies`. The default groups can be changed with the `tool.uv.default-groups` setting. Thank you to Stephen Rosen who authored PEP 735. ##### Enhancements - Support for PEP 735 ([#​8272](astral-sh/uv#8272)) - Add support for `--dry-run` mode in `uv lock` ([#​7783](astral-sh/uv#7783)) - Don't allow non-string email in authors ([#​8520](astral-sh/uv#8520)) - Enforce lockfile schema versions ([#​8509](astral-sh/uv#8509)) ##### Bug fixes - Always attach URL to network errors ([#​8444](astral-sh/uv#8444)) - Fix dangling non-platform dependencies in `uv tree` ([#​8532](astral-sh/uv#8532)) - Prefer `lto` over `debug` free-threaded managed Python builds ([#​8515](astral-sh/uv#8515)) ##### Documentation - Add `tool.uv.sources` to the "Settings" reference ([#​8543](astral-sh/uv#8543)) - Add reference to `uv build` and `uv publish` in the landing pages ([#​8542](astral-sh/uv#8542)) - Avoid duplicate `[tool.uv]` header in TOML examples ([#​8545](astral-sh/uv#8545)) - Document `.netrc` environment variable and path ([#​8511](astral-sh/uv#8511)) - Fix `.netrc` typo in authentication docs ([#​8521](astral-sh/uv#8521)) - Fix heading level of "Script support" on docs landing page ([#​8544](astral-sh/uv#8544)) - Move the installation configuration docs to a separate page ([#​8546](astral-sh/uv#8546)) - Update docs for `--publish-url` to avoid duplication. ([#​8561](astral-sh/uv#8561)) - Fix typo ([#​8554](astral-sh/uv#8554)) - Fix typo in description of `--strict` flag ([#​8513](astral-sh/uv#8513)) ### [`v0.4.26`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0426) [Compare Source](astral-sh/uv@0.4.25...0.4.26) ##### Enhancements - Allow static dependency metadata entries for direct URL requirements ([#​7846](astral-sh/uv#7846)) - Use reinstall report formatting for `uv python install --reinstall` ([#​8487](astral-sh/uv#8487)) - Add support for system-level `uv.toml` configuration ([#​7851](astral-sh/uv#7851)) ##### Bug fixes - Apply `requires-python` narrowing with upper bounds ([#​8403](astral-sh/uv#8403)) - Avoid rewriting `[[tool.uv.index]]` entries when credentials are provided ([#​8502](astral-sh/uv#8502)) - Fix `uv add` comment handling for empty arrays ([#​8504](astral-sh/uv#8504)) - Replace dashes with underscores in index credential variables ([#​8452](astral-sh/uv#8452)) - Respect `--allow-insecure-host` in `uv publish` ([#​8440](astral-sh/uv#8440)) - Allow arbitrary `--package` includes in `uv tree` ([#​8507](astral-sh/uv#8507)) - Remove existing Python install after successful download in `uv python install` ([#​8485](astral-sh/uv#8485)) ##### Documentation - Add docs example for URLs with `[tool.uv.dependency-metadata]` ([#​8484](astral-sh/uv#8484)) - Add help page for build failures ([#​8286](astral-sh/uv#8286)) - Fix `cache-keys` typo in `tags = true` ([#​8422](astral-sh/uv#8422)) - Add documentation examples for manual branch, rev, and tag Git dependencies ([#​8497](astral-sh/uv#8497)) ##### Error messages - Improve error message for cache info serialization ([#​8500](astral-sh/uv#8500)) - Suggest `--from` command when executable is available for `uvx` ([#​8473](astral-sh/uv#8473)) - Support `--with-editable` in `uv tool install` ([#​8472](astral-sh/uv#8472)) ### [`v0.4.25`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0425) [Compare Source](astral-sh/uv@0.4.24...0.4.25) ##### Enhancements - Add support for `uv pip show --files` ([#​8369](astral-sh/uv#8369)) - Don't prefetch unreachable packages ([#​8246](astral-sh/uv#8246)) - Remove `tool.uv.sources` table if it is empty ([#​8365](astral-sh/uv#8365)) - Modify cache versioning to support backwards compatibility ([#​8386](astral-sh/uv#8386)) ##### Configuration - Add support for `UV_FROZEN` and `UV_LOCKED` ([#​8340](astral-sh/uv#8340)) ##### Bug fixes - Allow dashes and underscores in custom index names ([#​8339](astral-sh/uv#8339)) - Avoid panic when Git dependencies are included in fork markers ([#​8388](astral-sh/uv#8388)) - Check existing source by normalized name before `uv add` and `uv remove` ([#​8359](astral-sh/uv#8359)) - Fix bug where username from authentication cache could be ignored ([#​8345](astral-sh/uv#8345)) - Fix to respect comments positioning in pyproject.toml on change ([#​8384](astral-sh/uv#8384)) - Redact index sources in `uv.lock` ([#​8333](astral-sh/uv#8333)) - Use correct indentation when project table contains open bracket comment ([#​8387](astral-sh/uv#8387)) - Only remove a source from `[tool.uv.sources]` if it is no long being referenced ([#​8366](astral-sh/uv#8366)) - Modify `uv pip list` and `uv tree` to print to stdout regardless of `--quiet` flag ([#​8392](astral-sh/uv#8392)) ##### Error messages - Improve help message for missing `self update` invocations ([#​8337](astral-sh/uv#8337)) - Log `.netrc` parsing errors ([#​8364](astral-sh/uv#8364)) - Remove trailing newlines in error messages ([#​8322](astral-sh/uv#8322)) - Use a dedicated message for incompatible Python versions in wheel ABI tags ([#​8363](astral-sh/uv#8363)) - Remove commands available in the top-level from the suggested subcommand error ([#​8316](astral-sh/uv#8316)) ##### Release - Run release builds for `macos-x86_64` on `macos-14` runners ([#​8327](astral-sh/uv#8327)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Users are concerned that they might accidentally publish their private package to PyPI, thereby exposing company internals and their private source code.
However, for this to happen, the user needs to call
uv publishwithout an index option, while having credentials for PyPI set either in environment variables (and the private index credentials not set to those env vars) or in the keyring (without scoping to a package), and that token having the project in scope.As easiest protection, we recommend never generating a PyPI token scoped to all projects, only generating one that is matched to the specific, public project: Without a matching token, no accidental publishing can happen.
The
Private :: Do Not Uploadprevent packages from being uploaded to PyPI (https://pypi.org/classifiers/). This is unergonomic: The classifiers are a system for metadata, not for configuration, they are not part of uv's docs and it doesn't have the discoverability of regular settings.The most evident idea for solving this is
tool.uv.publish:Unfortunately, this doesn't actually offer reliable protection: It only works when the pyproject.toml is present (we currently don't require checkouts for
uv publish) and it doesn't work with twine or any other publishing tool.The second idea is translating this to
classifiers = ["Private :: Do Not Upload"]. Unfortunately, PEP 621 forbids this, it requires that we must not append to static parts of[project]when building the wheel and source dists. This is needed for the ability to readpyproject.tomlwithout a build. There is an escape hatch that requires explicitly declaring specifiers as dynamic, we set the actual classifier on build depending on the value oftool.uv.private, i.e., if we seetool.uv.private = truewe transform the metadata on build as if we hadclassifiers = ["Private :: Do Not Upload"]:Through
dynamic, we are allowed to emit the following as METADATA:Just setting
classifiers = ["Private :: Do Not Upload"]is, unlike the above, self-documenting and more concise.Given all that we document that you shouldn't create unscoped tokens and that you can use
classifiers = ["Private :: Do Not Upload"].Note that we cannot handle e.g. a GitLab repository that is set to public accidentally. It falls into the domain of registry vendors to have guardrails (e.g. private-by-default registries when the status of the source is unknown)