Python
/
uv
mirror of https://github.com/astral-sh/uv
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,811 Commits 566 Branches 239 Tags 199 MiB
Commit Graph

1518 Commits

Author SHA1 Message Date
konsti 82c4772e89
Move unnamed requirements to their own pep508_rs module and requirements-txt (#3186) 
Another refactoring in preparation of using a richer requirements type.
No functional changes, only moves code around
 2024-04-22 14:02:39 +00:00
konsti f29c991e21
Dedicated error type for direct url parsing (#3181) 
Add a dedicated error type for direct url parsing. This change is broken
out from the new uv requirement type, which uses direct url parsing
internally.
 2024-04-22 11:57:36 +00:00
Grzegorz Bokota 7efd13ca33
Add UV_CONSTRAINT environment variable to provide value for `--constraint` (#3162) 
## Summary

This PR is adding `UV_CONSTRAINT` environment variable as analogous to
`PIP_CONSTRAINT` to allow providing constraint file via environment
variable. Implementing this will simplify adoption of uv in testing
procedure in projects that I'm involved (testing using tox).

This was my motivation for opening #1841 that is closed in favor of
#1789 which was closed without implementing this feature.

In this implementation, I have used space as a separator as analogous to
`pip`. This introduces an obvious problem if the path contains space.
Another option could be to use standard separator (`:` - UNIX like, `;`
- Windows). Which one did you prefer?

## Test Plan

It is my first contribution and first rust coding experience. It will be
nice if one could point how I should implement testing this.
 2024-04-20 17:32:28 -04:00
Charlie Marsh bf1036832f
Fix `venvlauncher.exe` reference in venv creation (#3160) 
I can't get this to reproduce on GitHub Actions -- maybe the builds
there differ, or maybe the builds changed since we added this fix? I'll
check locally, but regardless, this is a typo.

Closes #3158.
 2024-04-20 14:16:47 +00:00
Charlie Marsh b4ee7d7359
Bump version to v0.1.35 (#3153) 2024-04-19 19:58:15 -04:00
Charlie Marsh 4a98839c1d
Move argument normalization into settings construction (#3103) 
## Summary

No behavior changes, but the idea here is that we move the argument
normalization code (e.g., create an `Upgrade` struct from `--upgrade`
and `--upgrade-package`) into the `settings.rs` file, where we build the
common settings structs.

This reduces a lot of the logic and duplication across commands in
`main.rs`.
 2024-04-19 23:45:08 +00:00
Charlie Marsh fda378fd29
Avoid preferring constrained over unconstrained packages (#3148) 
## Summary

pip prefers somewhat-constrained over unconstrained packages... but only
if they're at equal depths in the tree. We don't have a way to track the
latter property yet (I've added a TODO), so for now, we should remove
this constraint -- it seems to be counter-productive.

I've filed https://github.com/astral-sh/uv/issues/3149 as a follow-up.

Closes https://github.com/astral-sh/uv/issues/3143

## Test Plan

- `git clone https://github.com/drivendataorg/zamba.git`
- `cat "-e .[tests]" > req.in`
- `cargo run venv && cargo run pip compile req.in --refresh -n
--python-platform linux --python-version 3.8`
 2024-04-19 23:30:08 +00:00
Charlie Marsh 70b6bde254
Add `--python-platform` to configuration (#3147) 
## Summary

Just for consistency with `--python-version`.
 2024-04-19 23:08:03 +00:00
Charlie Marsh 5e4e2fa0bf
Rename `--platform` to `--python-platform` (#3146) 
## Summary

`--platform` is a flag that exists in `pip` and it has a different
meaning. (Not breaking as this hasn't been released yet anyway.)
 2024-04-19 22:24:23 +00:00
Zanie Blue 4046b2bcfa
Allow `uv run` to execute Python scripts directly (#3110) 
e.g. `uv run foo.py` implies `python foo.py`

Future work includes #3096
 2024-04-19 21:29:57 +00:00
Zanie Blue 91e32fec6f
Bump `astral-test` commit snapshots (#3145) 
I added distributions to these projects so the commit changed.

We could pin but we want to test for resolution... so we don't. These
are pretty static so this should be rare.
 2024-04-19 21:20:34 +00:00
Charlie Marsh 9f2bc19eaf
Enforce HTTP timeouts on a per-read (rather than per-request) basis (#3144) 
## Summary

This leverages the new `read_timeout` property, which ensures that (like
pip) our timeout is not applied to the _entire_ request, but rather, to
each individual read operation.

Closes: #1921.

See: #1912.
 2024-04-19 16:49:53 -04:00
Zanie Blue 31765c05bd
Default to `python` when `uv run` does not recieve a command (#3109) 
This means that a bare `uv run` invocation drops you into a REPL.

This behavior is internally controversial, and may best be served by a
dedicated `uv repl` command. I would imagine it's important to fail if
no command is given in _some_ circumstances, but those may be resolved
by _not_ doing this if we do not detect a TTY.

Regardless, I'm interested in giving this a try for a bit during this
experimental phase.
 2024-04-19 15:15:38 +00:00
Zanie Blue 9bcc1943cc
Allow workspace requirements to be ignored during `uv run` (#3108) 2024-04-19 14:52:04 +00:00
Zanie Blue 01a7b7a088
Read base requirements from `pyproject.toml` in `uv run` (#3101) 
In addition to the requested requirements, we include requirements from
a `pyproject.toml` file if it exists and install the current directory.

Closes https://github.com/astral-sh/uv/issues/3104
 2024-04-19 14:36:03 +00:00
Zanie Blue becb12642a
Add `uv run --with <pkg>` to run a command with ephemeral requirements (#3077) 
Holy cow does installation / resolution take a ton of options. We
side-step most of them here.

If the current environment satisfies the requirements, it is used.
Otherwise, we create a new environment with the requested dependencies.
 2024-04-19 09:23:26 -05:00
Jack Cherng 7a163ba9f1
Fix `uv pip compile` with `UV_SYSTEM_PYTHON=1` (#3136) 
## Summary

Following up 

- https://github.com/astral-sh/uv/pull/3113
- https://github.com/astral-sh/uv/pull/3115

It looks like `uv pip compile` command with `UV_SYSTEM_PYTHON` is missed
because these two PRs are close in time. And thus resulting in


```bash
$ uv --version
uv 0.1.34 (9259eceeb 2024-04-19)
$ UV_SYSTEM_PYTHON=1 uv pip compile --upgrade requirements.in -o requirements.txt
error: invalid value '1' for '--system'
  [possible values: true, false]

For more information, try '--help'.
```

Signed-off-by: Jack Cherng <jfcherng@gmail.com>
 2024-04-19 08:48:55 -04:00
Charlie Marsh 93559d5c2a
Add a `--platform` argument to enable resolving against a target platform (#3111) 
## Summary

I've wanted to try this for a long time, so decided to give it a shot.
The basic idea is that you can provide a target triple (e.g.,
`--platform x86_64-pc-windows-msvc`) and resolve against that platform,
rather than the currently-running platform. It's functionally similar to
`--python-version`, though a bit simpler since there's no need to engage
with `Requires-Python`.

Our infrastructure is well-setup for this and so, in the end, it's
actually pretty straightforward: for each triple, we just need to
override the markers and platform tags.
 2024-04-18 22:57:41 -04:00
Charlie Marsh 9259eceebc
Bump version to v0.1.34 (#3134) 2024-04-19 02:15:04 +00:00
Charlie Marsh a241bc79b1
Add priorities for editables (#3133) 
## Summary

We weren't setting a priority for editables, so they were being visited
last.

I think there's still a problem whereby we're not aggressive enough in
visiting recursive extras (and, in fact, that's making it really hard to
write a test -- I wrote a test, but the most-reduced case still fails,
and I'd need to add a layer of indirection to make it
fail-on-main-but-pass-on-this-branch), but that problem likely already
existed on main prior to #3087, so I just want to get this quick fix out
now.

Closes https://github.com/astral-sh/uv/issues/3127.

## Test Plan

- `git clone https://github.com/cda-tum/mqt-core.git`
- `cargo run venv`
- `cargo run pip install 'scikit-build-core[pyproject]>=0.8.1'
'setuptools_scm>=7' 'pybind11>=2.12' --resolution=lowest-direct`
- `cargo run pip install --no-build-isolation
'-ve.[test,qiskit,evaluation,coverage]' --resolution=lowest-direct`
 2024-04-19 02:04:58 +00:00
Charlie Marsh 2e88bb6f1b
Add a proxy layer for extras (#3100) 
Given requirements like:

```
black==23.1.0
black[colorama]
```

The resolver will (on `main`) add a dependency on Black, and then try to
use the most recent version of Black to satisfy `black[colorama]`. For
sake of example, assume `black==24.0.0` is the most recent version. Once
the selects this most recent version, it'll fetch the metadata, then
return the dependencies for `black==24.0.0` with the `colorama` extra
enabled. Finally, it will tack on `black==24.0.0` (a dependency on the
base package). The resolver will then detect a conflict between
`black==23.1.0` and `black==24.0.0`, and throw out
`black[colorama]==24.0.0`, trying to next most-recent version.

This is both wasteful and can cause problems, since we're fetching
metadata for versions that will _never_ satisfy the resolver. In the
`apache-airflow[all]` case, I also ran into an issue whereby we were
attempting to build very old versions of `apache-airflow` due to
`apache-airflow[pandas]`, which in turn led to resolution failures.

The solution proposed here is that we create a new proxy package with
exactly two dependencies: one on `black` and one of `black[colorama]`.
Both of these packages must be at the same version as the proxy package,
so the resolver knows much _earlier_ that (in the above example) the
extra variant _must_ match `23.1.0`.
 2024-04-19 01:04:59 +00:00
Zanie Blue 822ae19879
Restore seeding of authentication cache from index URLs (#3124) 
Roughly reverts
f7820ceaa7
to reduce possible race conditions for pre-authenticated index URLs

Part of:

- https://github.com/astral-sh/uv/issues/3123
- https://github.com/astral-sh/uv/issues/3122
 2024-04-18 19:48:21 -05:00
Charlie Marsh 5ca5d7da67
Add test for avoiding irrelevant extras (#3107) 
## Summary

This PR adds a test that currently leads to an error, but should
successfully resolve as of https://github.com/astral-sh/uv/pull/3100.

The core idea is that if we have a pinned package, we shouldn't try to
build other versions of that package if we have an unconstrained variant
with an extra.
 2024-04-19 00:47:27 +00:00
Charlie Marsh 3c9d925531
Avoid treating localhost URLs as local file paths (#3132) 
## Summary

Closes https://github.com/astral-sh/uv/issues/3128.

## Test Plan

- `python -m http.server`
- `cargo run pip install
"http://localhost:8000/werkzeug-3.0.2-py3-none-any.whl"`
- `cargo run pip install
"http://localhost:8000/werkzeug-3.0.2-py3-none-any.whl"`
 2024-04-19 00:37:33 +00:00
Charlie Marsh 0ce039d1f9
Remove `Option<bool>` for `--no-cache` (#3129) 
## Summary

This was unintended. We ended up reverting `Option<bool>` everywhere,
but I missed this once since it's in a separate file.

(If you use `Option<bool>`, Clap requires a value, like `--no-cache
true`.)

## Test Plan

`cargo run pip install flask --no-cache`
 2024-04-18 22:56:46 +00:00
Charlie Marsh 822e3dc0c5
Add `UV_REQUIRE_HASHES` environment variable (#3125) 
Closes https://github.com/astral-sh/uv/issues/3117.
 2024-04-18 21:07:08 +00:00
konsti c9eefc0833
Reset default `-v` level to debug (#3120) 
Fixup from
https://github.com/astral-sh/uv/pull/2815/files#diff-9b6f8f13cfc3c9d7ef554182fa52c7466fa6037da54a97c03855b6068b481848L127-R127
 2024-04-18 13:34:04 +00:00
Charlie Marsh 7688f464c8
Allow `--python` and `--system` on `pip compile` (#3115) 
## Summary

I think these are useful to have for consistency, though the `--system`
variant requires some new threading.

Closes: https://github.com/astral-sh/uv/issues/2242.
 2024-04-18 04:55:49 +00:00
Charlie Marsh 37aefbd199
Use `BoolishValueParser` for boolean environment variables (#3113) 
## Summary

Right now, we only accept _exactly `UV_NATIVE_TLS=true` and
`UV_NATIVE_TLS=false`. `BoolishValueParser` accepts a wider range of
values:

```rust
/// True values are `y`, `yes`, `t`, `true`, `on`, and `1`.
pub(crate) const TRUE_LITERALS: [&str; 6] = ["y", "yes", "t", "true", "on", "1"];

/// False values are `n`, `no`, `f`, `false`, `off`, and `0`.
pub(crate) const FALSE_LITERALS: [&str; 6] = ["n", "no", "f", "false", "off", "0"];
```

I tend to use `0` and `1` personally so this surprised me.
 2024-04-18 00:37:38 -04:00
Chan Kang 8c7d0a31e6
Hide password in the index printed via `--emit-index-annotation` (#3112) 
## Summary

resolves https://github.com/astral-sh/uv/issues/3106

## Test Plan

added a simple test where the password provided in `UV_INDEX_URL` is
hidden in the output as expected.
 2024-04-18 03:59:44 +00:00
Zanie Blue 01532d98c4
Add integration test coverage for netrc authentication (#3068) 
Closes https://github.com/astral-sh/uv/issues/2465
 2024-04-17 14:05:24 -05:00
Charlie Marsh aea8b0ae6c
Rename `--compile` to `--compile-bytecode` (#3102) 
## Summary

With an alias for backwards compatibility. It's clearer and matches the
setting in the TOML configuration (where `compile` was deemed too
vague).
 2024-04-17 15:05:10 -04:00
Charlie Marsh 67d879dcad
Add integration tests for configuration discovery (#3082) 2024-04-17 18:21:44 +00:00
Charlie Marsh f846fdc2b9
Add negation flags to the CLI (#3050) 
## Summary

Now that we can pick up configuration values from persistent files, we
need to enable users to _disable_ those values from the CLI. For
example, if a user has `emit_index_url = true` in the configuration
file, they should be able to do `--no-emit-index-url` on the
command-line. This PR adds support for such negations, following the
same patterns we use in Ruff.
 2024-04-17 14:16:09 -04:00
Charlie Marsh dfccdb0e39
Enable global configuration files (#3049) 
## Summary

Enables `uv` to read configuration from (e.g.)
`/Users/crmarsh/.config/uv/uv.toml` on macOS and Linux, and
`C:\Users\Charlie\AppData\Roaming\uv\uv.toml` on Windows.

This differs slightly from Ruff, which uses the `Application Support`
directory on macOS. But I've deviated here. based on the preferences
expressed in https://github.com/astral-sh/ruff/issues/10739.
 2024-04-17 13:59:50 -04:00
Charlie Marsh c6e75f8b35
Add `--config-file` support (#3047) 
## Summary

Users can now pass a config file on the command line, e.g., with
`--config-file /path/to/file.py`.
 2024-04-17 17:32:29 +00:00
Charlie Marsh 7fb2bf816f
Add JSON Schema support (#3046) 
## Summary

This PR adds JSON Schema support. The setup mirrors Ruff's own.
 2024-04-17 17:24:41 +00:00
Zanie Blue 7c5b13c412
Add integration test coverage for keyring authentication (#3067) 
Closes https://github.com/astral-sh/uv/issues/2464
 2024-04-17 12:23:26 -05:00
Charlie Marsh e5d4ea55ca
Merge workspace settings with CLI settings (#3045) 
## Summary

This PR adds the structs and logic necessary to respect settings from
the workspace. It's a ton of code, but it's mostly mechanical. And,
believe it or not, I pulled out a few refactors in advance to trim down
the code and complexity.

The highlights are:

- All CLI arguments are now `Option`, so that we can detect whether they
were provided (i.e., we can't let Clap fill in the defaults).
- We now have a `*Settings` struct for each command, which merges the
CLI and workspace options (e.g., `PipCompileSettings`).

I've only implemented `PipCompileSettings` for now. If approved, I'll
implement the others prior to merging, but it's very mechanical and I
both didn't want to do the conversion prior to receiving feedback _and_
realized it would make the PR harder to review.
 2024-04-17 17:03:29 +00:00
Zanie Blue dcc2c6865c
Create ephemeral virtual environments for `uv run` (#3075) 
If a virtual environment does not exist, we will create one for the
duration of the invocation.

Adds an `--isolated` flag to force this behavior (ignoring an existing
virtual environment).
 2024-04-17 16:32:04 +00:00
Zanie Blue f7b83e9e83
Add `uv run` command (#3074) 
Adds `uv run` which executes a command in your current virtual
environment.

This is a simple first milestone, lots of remaining work and behavior.
The command is hidden.
 2024-04-17 11:20:43 -05:00
Zanie Blue 2cee7525c7
Bump version to 0.1.33 (#3094) 2024-04-17 10:34:13 -05:00
Charlie Marsh b456fa2939
Incorporate heuristics to improve package prioritization (#3087) 
See: https://github.com/astral-sh/uv/issues/3078
 2024-04-17 14:21:42 +00:00
Charlie Marsh 5be47f698e
Un-hide `--require-hashes` CLI argument (#3093) 
## Summary

An oversight from the release.
 2024-04-17 13:48:45 +00:00
Charlie Marsh d6f9ea9d54
Skip configuration loading while unused (#3092) 
## Summary

No benefit to doing this until it actually ships.
 2024-04-17 13:46:08 +00:00
konsti d1b07a3f49
Log versions tried from batch prefetch (#3090) 
This is required for evaluating #3087.

This also removes tracking of virtual packages from extras from the
batch prefetcher (we only track real packages).

Let's look at some stats:
* jupyter: Tried 100 versions: anyio 1, argon2-cffi 1,
argon2-cffi-bindings 1, arrow 1, asttokens 1, async-lru 1, attrs 1,
babel 1, beautifulsoup4 1, bleach 1, certifi 1, cffi 1,
charset-normalizer 1, comm 1, debugpy 1, decorator 1, defusedxml 1,
exceptiongroup 1, executing 1, fastjsonschema 1, fqdn 1, h11 1, httpcore
1, httpx 1, idna 1, ipykernel 1, ipython 1, ipywidgets 1, isoduration 1,
jedi 1, jinja2 1, json5 1, jsonpointer 1, jsonschema 1,
jsonschema-specifications 1, jupyter 1, jupyter-client 1,
jupyter-console 1, jupyter-core 1, jupyter-events 1, jupyter-lsp 1,
jupyter-server 1, jupyter-server-terminals 1, jupyterlab 1,
jupyterlab-pygments 1, jupyterlab-server 1, jupyterlab-widgets 1,
markupsafe 1, matplotlib-inline 1, mistune 1, nbclient 1, nbconvert 1,
nbformat 1, nest-asyncio 1, notebook 1, notebook-shim 1, overrides 1,
packaging 1, pandocfilters 1, parso 1, pexpect 1, platformdirs 1,
prometheus-client 1, prompt-toolkit 1, psutil 1, ptyprocess 1, pure-eval
1, pycparser 1, pygments 1, python-dateutil 1, python-json-logger 1,
pyyaml 1, pyzmq 1, qtconsole 1, qtpy 1, referencing 1, requests 1,
rfc3339-validator 1, rfc3986-validator 1, root 1, rpds-py 1, send2trash
1, six 1, sniffio 1, soupsieve 1, stack-data 1, terminado 1, tinycss2 1,
tomli 1, tornado 1, traitlets 1, types-python-dateutil 1,
typing-extensions 1, uri-template 1, urllib3 1, wcwidth 1, webcolors 1,
webencodings 1, websocket-client 1, widgetsnbextension 1
* boto3: botocore 1697, boto3 849, urllib3 2, jmespath 1,
python-dateutil 1, root 1, s3transfer 1, six 1
* transformers-extras: Tried 1191 versions: sagemaker 152, hypothesis
67, tensorflow 21, jsonschema 19, tensorflow-cpu 18, multiprocess 10,
pathos 10, tensorflow-text 10, chex 8, tf-keras 8, tf2onnx 8, aiohttp 6,
aiosignal 6, alembic 6, annotated-types 6, apscheduler 6, attrs 6,
backoff 6, binaryornot 6, black 6, boto3 6, click 6, coloredlogs 6,
colorlog 6, dash 6, dash-bootstrap-components 6, dlinfo 6,
exceptiongroup 6, execnet 6, fire 6, frozenlist 6, gitdb 6, google-auth
6, google-auth-oauthlib 6, hjson 6, iniconfig 6, jinja2-time 6, markdown
6, markdown-it-py 6, markupsafe 6, mpmath 6, namex 6, nbformat 6, ninja
6, nvidia-nvjitlink-cu12 6, onnxconverter-common 6, pandas 6, plac 6,
platformdirs 6, pluggy 6, portalocker 6, poyo 6, protobuf3-to-dict 6,
py-cpuinfo 6, py3nvml 6, pyarrow 6, pyarrow-hotfix 6, pydantic-core 6,
pygments 6, pynvml 6, pypng 6, python-slugify 6, responses 6,
smdebug-rulesconfig 6, soupsieve 6, sqlalchemy 6,
tensorboard-data-server 6, tensorboard-plugin-wit 6, tensorboardx 6,
threadpoolctl 6, tomli 6, wasabi 6, wcwidth 6, werkzeug 6, wheel 6,
xxhash 6, zipp 6, etils 5, tensorboard 5, beautifulsoup4 4, cffi 4,
clldutils 4, codecarbon 4, datasets 4, dill 4, evaluate 4, gitpython 4,
hf-doc-builder 4, kenlm 4, librosa 4, llvmlite 4, nest-asyncio 4, nltk
4, optuna 4, parameterized 4, phonemizer 4, psutil 4, pyctcdecode 4,
pytest 4, pytest-timeout 4, pytest-xdist 4, ray 4, rjieba 4, rouge-score
4, ruff 4, sacrebleu 4, sacremoses 4, sigopt 4, sortedcontainers 4,
tensorstore 4, timeout-decorator 4, toolz 4, torchaudio 4, accelerate 3,
audioread 3, cookiecutter 3, decorator 3, deepspeed 3, faiss-cpu 3, flax
3, fugashi 3, ipadic 3, isort 3, jax 3, jaxlib 3, joblib 3, keras-nlp 3,
lazy-loader 3, numba 3, optax 3, pooch 3, pydantic 3, pygtrie 3, rhoknp
3, scikit-learn 3, segments 3, soundfile 3, soxr 3, sudachidict-core 3,
sudachipy 3, torch 3, unidic 3, unidic-lite 3, urllib3 3, absl-py 2,
arrow 2, astunparse 2, async-timeout 2, botocore 2, cachetools 2,
certifi 2, chardet 2, charset-normalizer 2, csvw 2, dash-core-components
2, dash-html-components 2, dash-table 2, diffusers 2, dm-tree 2,
fastjsonschema 2, flask 2, flatbuffers 2, fsspec 2, ftfy 2, gast 2,
google-pasta 2, greenlet 2, grpcio 2, h5py 2, humanfriendly 2, idna 2,
importlib-metadata 2, importlib-resources 2, jinja2 2, jmespath 2,
jupyter-core 2, kagglehub 2, keras 2, keras-core 2, keras-preprocessing
2, libclang 2, mako 2, mdurl 2, ml-dtypes 2, msgpack 2, multidict 2,
mypy-extensions 2, networkx 2, nvidia-cublas-cu12 2,
nvidia-cuda-cupti-cu12 2, nvidia-cuda-nvrtc-cu12 2,
nvidia-cuda-runtime-cu12 2, nvidia-cudnn-cu12 2, nvidia-cufft-cu12 2,
nvidia-curand-cu12 2, nvidia-cusolver-cu12 2, nvidia-cusparse-cu12 2,
nvidia-nccl-cu12 2, nvidia-nvtx-cu12 2, onnx 2, onnxruntime 2,
onnxruntime-tools 2, opencv-python 2, opt-einsum 2, orbax-checkpoint 2,
pathspec 2, plotly 2, pox 2, ppft 2, pyasn1-modules 2, pycparser 2,
pyrsistent 2, python-dateutil 2, pytz 2, requests-oauthlib 2, retrying
2, rich 2, rsa 2, s3transfer 2, scipy 2, setuptools 2, six 2, smmap 2,
sympy 2, tabulate 2, tensorflow-estimator 2, tensorflow-hub 2,
tensorflow-io-gcs-filesystem 2, termcolor 2, text-unidecode 2, traitlets
2, triton 2, typing-extensions 2, tzdata 2, tzlocal 2, wrapt 2,
xmltodict 2, yarl 2, Python 1, av 1, babel 1, bibtexparser 1, blinker 1,
colorama 1, decord 1, filelock 1, huggingface-hub 1, isodate 1,
itsdangerous 1, language-tags 1, lxml 1, numpy 1, oauthlib 1, packaging
1, pillow 1, protobuf 1, pyasn1 1, pylatexenc 1, pyparsing 1, pyyaml 1,
rdflib 1, regex 1, requests 1, rfc3986 1, root 1, safetensors 1,
sentencepiece 1, tenacity 1, timm 1, tokenizers 1, torchvision 1, tqdm
1, transformers 1, types-python-dateutil 1, uritemplate 1


You can reproduce them with python 3.10 and:
```
RUST_LOG=uv_resolver=debug cargo run pip compile -o /dev/null -q scripts/requirements/<input>.in 2>&1 | tail -n 1
```

Closes #2270 - This is less invasive compared to the other PR, we can
revisit number of network/build request tracking later.
 2024-04-17 09:08:21 +00:00
Charlie Marsh 64b545d954
Avoid `#[clap]` macro (#3085) 
## Summary

I can't find a source for this beyond
https://users.rust-lang.org/t/clap-derive-helper-attribute-question/101228,
but apparently `#[arg]` and friends are newer and recommended. (They're
also used in the examples in the docs.)
 2024-04-17 02:07:27 +00:00
Charlie Marsh b1cb193d12
Add some tracing to workspace discovery (#3084) 2024-04-17 01:54:08 +00:00
Charlie Marsh f9c4ca3473
Fix reference to `pyproject.toml` path in workspace discovery (#3083) 
This is why we write tests 😂
 2024-04-17 01:41:00 +00:00
Charlie Marsh b3f98d5e05
Use kebab-case for serde enums (#3080) 
By default, these serialize as (e.g.) `LowestDirect`. This now matches
the format we use in Ruff.
 2024-04-17 01:13:39 +00:00
Charlie Marsh 40d5a8adcf
Flatten settings into a single struct (#3079) 
## Summary

This division proved to be not-so-useful in subsequent PRs.
 2024-04-17 00:15:09 +00:00
Charlie Marsh dd09de2d70
Add filter for install_registry_source_dist_cached on Gentoo (#3071) 
Closes https://github.com/astral-sh/uv/issues/3051.
 2024-04-16 15:07:48 -04:00
Paul Moore 8e37625005
Allow passing a venv to `uv pip --python` (#3064) 
Fixes https://github.com/astral-sh/uv/issues/3060

## Summary

Allows passing a virtual environment (the path to the directory, rather
than the path to the Python interpreter within the directory) to the
`--python` option of the `uv pip` command.

## Test Plan

Tested manually to confirm that the expected new functionality works.
The test suite still passes after this change.

I don't know how to add tests for a new feature like this. I would be
happy to do so if someone can give me some pointers on how to do it.
 2024-04-16 18:39:37 +00:00
Sergey Kolosov d2551bb2bd
Add support for .tar.bz2 source distributions (#3069) 
## Summary

Source distributions in the .tar.bz2 format are still relatively common
within the existing code-bases, namely, the most common examples are the
Twisted source distributions up to the version 20.3.0. As quite so often
the ability to upgrade Twisted to a more recent version is not available
for a given project, we add the support for .tar.bz2 here to still allow
`uv` to be a drop-in replacement for `pip` in these projects.

## Test Plan

The feature was tested both by adding the corresponding test coverage,
and by directly installing a package of interest under a Python version
that doesn't have the corresponding wheel:

```sh
cargo run venv -p python3.8
cargo run pip install Twisted==20.3.0 --no-cache
```

The `--no-cache` argument in the example above serves the purpose of
cleaning the cached information regarding the unsatisfiability of the
requirements, as it may have been cached during some previous attempt to
install this package by `uv` version that didn't implement this feature
yet.
 2024-04-16 18:34:55 +00:00
Charlie Marsh e78bbb8f6a
Remove invalid `serde` reference in `uv-configuration` (#3072) 2024-04-16 18:27:18 +00:00
elbaro ab74263cbc
Skip HEAD requests for Pypicloud with Private S3 (#3070) 2024-04-16 18:25:35 +00:00
Charlie Marsh 295b58ad37
Add `uv-workspace` crate with settings discovery and deserialization (#3007) 
## Summary

This PR adds basic struct definitions along with a "workspace" concept
for discovering settings. (The "workspace" terminology is used to match
Ruff; I did not invent it.)

A few notes:

- We discover any `pyproject.toml` or `uv.toml` file in any parent
directory of the current working directory. (We could adjust this to
look at the directories of the input files.)
- We don't actually do anything with the configuration yet; but those
PRs are large and I want this to be reviewed in isolation.
 2024-04-16 13:56:47 -04:00
Zanie Blue c0efeeddf6
Rewrite `uv-auth` (#2976) 
Closes 

- #2822 
- https://github.com/astral-sh/uv/issues/2563 (via #2984)

Partially address:

- https://github.com/astral-sh/uv/issues/2465
- https://github.com/astral-sh/uv/issues/2464

Supersedes:

- https://github.com/astral-sh/uv/pull/2947
- https://github.com/astral-sh/uv/pull/2570 (via #2984)

Some significant refactors to the whole `uv-auth` crate:

- Improving the API
- Adding test coverage
- Fixing handling of URL-encoded passwords
- Fixing keyring authentication
- Updated middleware (see #2984 for more)
 2024-04-16 11:48:37 -05:00
Alvise Vianello 193704f98b
Add compatibility arguments for pip list (#3055) 
Hello! This is my first PR so do not hesitate to let me know if anything
should be done differently 🙌🏽

## Summary

This PR starts adding useful error messages and warnings when people
pass redundant or unsupported arguments to `pip list`.

For now, I've just covered `pip list --outdated`, which is currently
unsupported.

Closes https://github.com/astral-sh/uv/issues/2948
 2024-04-16 09:31:01 -04:00
Alex Waygood 66e420f34b
Enable auto-wrapping of `--help` output (#3058) 
## Summary

Fixes #3057

On `main`, with a narrow terminal:

- <details>


![image](https://github.com/astral-sh/uv/assets/66076021/2453dcbc-739c-4174-ba2e-029cff3227a2)

  </details>

- <details>


![image](https://github.com/astral-sh/uv/assets/66076021/02553e90-fe35-4828-b50f-71f926a1e347)

  </details>

- <details>


![image](https://github.com/astral-sh/uv/assets/66076021/b33eac26-f2fe-4328-8aa0-c51235b7c4c3)

  </details>

- <details>


![image](https://github.com/astral-sh/uv/assets/66076021/e731f647-3519-4c54-ab33-b42500faf544)

  </details>

With PR:

- <details>


![image](https://github.com/astral-sh/uv/assets/66076021/0f1aaec0-960a-4060-95ba-f49bec2f6995)

  </details>

- <details>


![image](https://github.com/astral-sh/uv/assets/66076021/b8078125-bd57-41a9-9c09-1966c8971c92)

  </details>

- <details>


![image](https://github.com/astral-sh/uv/assets/66076021/c2f38eb0-5f67-46ee-8a09-47da9e9ce0a5)

  </details>

- <details>


![image](https://github.com/astral-sh/uv/assets/66076021/31b9fdca-938a-47ca-96ba-751d987c269e)

  </details>

## Test Plan

See screenshots in the summary
 2024-04-16 08:54:40 -04:00
konsti 88d6a55dbf
Show package name in no version for direct dependency error (#3056) 
Fixes #3053
 2024-04-16 07:57:13 +00:00
Ben Beasley 2d95ca4b83
Make the junction crate dependency Windows-only (#3043) 
<!--
Thank you for contributing to uv! To help us out with reviewing, please
consider the following:

- Does this pull request include a summary of the change? (See below.)
- Does this pull request include a descriptive title?
- Does this pull request include references to any relevant issues?
-->

## Summary

<!-- What's the purpose of the change? What does it do, and why? -->

Since the [`junction` crate](https://crates.io/crates/junction)
implements Windows-only functionality, and since the only place it is
used is guarded by `#[cfg(windows)]`,


1f626bfc73/crates/uv-fs/src/lib.rs (L65-L86)

it makes sense not to depend on this crate at all on non-Windows
platforms.

If nothing else, this makes Linux distribution packagers’ lives just a
*tiny* bit easier.

## Test Plan

<!-- How was it tested? -->

On Fedora Linux 39:

```
# To avoid an error when /tmp and the working directory are on different filesystems:
$ mkdir _tmp
$ TMPDIR="${PWD}/tmp" cargo run -p uv-dev -- fetch-python
$ cargo test
```

I don’t have access to a Windows system.
 2024-04-15 16:01:24 -05:00
Charlie Marsh f6b1580d8b
Move global CLI flags into separate struct (#3042) 
## Summary

No change in behavior; this separation just makes things easier later
for merging persistent configuration with the CLI.
 2024-04-15 20:29:53 +00:00
Charlie Marsh 1f626bfc73
Move `ExcludeNewer` into its own type (#3041) 
## Summary

This makes it easier to add (e.g.) JSON Schema derivations to the type.

If we have support for other dates in the future, we can generalize it
to a `UserDate` or similar.
 2024-04-15 20:24:08 +00:00
Zanie Blue 37a43f4b48
Bump version to 0.1.32 (#3039) 
Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
 2024-04-15 15:16:47 -05:00
konsti dd55995768
Force color for build error messages (#3032) 
Since we're using anstream's strip stream, we can force color output
from child processes and strip them when we redirect to a file

Before:


![image](https://github.com/astral-sh/uv/assets/6826232/ce8aafe9-687c-4c4a-970a-22abd660bc71)

After:


![image](https://github.com/astral-sh/uv/assets/6826232/bacedf1c-2462-4947-bd2f-393476a8031b)

Redirecting to a file correctly strips color codes.
 2024-04-15 18:12:54 +02:00
konsti eded6c9fae
Use link mode for builds, in `uv pip compile` and for `uv venv` seed packages (#3016) 
Use the user specified link mode for temporary build venvs, too. It
seems consistent to respect the user's link mode for all installations
we perform
 2024-04-15 08:49:41 +00:00
Jos van de Wolfshaar 3103180ce5
Avoid cache invalidation on credentials renewal (#3010) 
# Avoid cache invalidation on credentials renewal

Addresses

- https://github.com/astral-sh/uv/issues/3009#issue-2239221126

## Summary

Some private package registries (e.g. AWS CodeArtifact) use short-lived
credentials. Since they are short-lived, the exact URL that is assigned
to `UV_INDEX_URL` changes frequently and with that the cache key /
hashes of these URLs. This causes the cache to be missed on token
renewal.

This PR attempts to fix this by hashing URLs for cache keys without
their user credentials.

## Test Plan

I added a test that validates that:
1. Changing user credentials returns the same hash
2. Setting no user credentials yields the same as some user credentials

## Question
I'm not sure if we should also change the `hash` implementation of
`CanonicalUrl` / `RepositoryUrl`. They also run `.hash` within.

PS. this is the first time I'm writing `rust` so if I'm wasting your
precious time, let me know and I'll try to up my skills before I ask
again. Anyway, I figured it's good to get this issue on your radar :)
 2024-04-13 23:38:24 +00:00
Charlie Marsh ab9cc78b7a
Deduplicate symbolic links between `purelib` and `platlib` (#3002) 
## Summary

This PR adds system install tests to verify the behavior described in
#2798. It turns out this behavior _also_ affects Fedora and Amazon
Linux, we just didn't have the right conditions enabled (specifically,
you need to create the virtualenv with `python -m venv` to get these
symlinks), so the test suite was expanded to capture that.

The issue itself is also fixed by way of deduplicating the
`site-packages` entries.

Closes: https://github.com/astral-sh/uv/issues/2798
 2024-04-12 17:08:56 -04:00
Charlie Marsh 3ae35adc8e
Allow comments after all requirements.txt entries (#3018) 
## Summary

I'm surprised we haven't hit this before, but apparently we don't allow
comments after `--index-url`, `-e` entries, etc., in the
requirements.txt parser.

Closes #3011.

## Test Plan

`cargo test`
 2024-04-12 15:56:57 -04:00
Charlie Marsh a95a8c881c
Remove some Clap-level conflicts in argument groups (#3001) 
## Summary

It turns out that if you have an environment variable set, Clap will
consider that equivalent to passing the flag, even if it's set to (e.g.)
something falsy or the default value.

So, e.g., this fails:

```shell
UV_SYSTEM=false uv pip install --python ./.venv/bin/python flask
```

Worse, this fails, because it thinks `--no-index` and `--index-url` are
conflicting:

```shell
export UV_INDEX_URL=https://google.com
uv pip install flask --no-index
```

This PR removes some of the conflicts, namely those related to
environment variables, such that:

- You _can_ pass mixes of `--no-index`, `--index-url`, etc. If
`--no-index` is provided, all the index URLs will be ignored (but we
won't error).
- Passing `--pre` will always enable prereleases, even if `--prerelease`
is also provided. (We could warn here, although honestly it's not
trivial because we'd need to make `--prerelease` take an optional, then
we'd lose the default argument from the `--help`.)
- You _can_ pass `--system` and `--python`. If `--python` is provided,
we use that, and ignore `--system`. (We could warn here.)

I guess the underlying problem here is that we can't differentiate
between arguments passed on the CLI and those set as environment
variables. But making bigger changes here seems out-of-scope.

Closes https://github.com/astral-sh/uv/issues/3000.
 2024-04-12 19:51:16 +00:00
Charlie Marsh c43757ad4c
Avoid calling `normalize_path` with relative paths that extend beyond the current directory (#3013) 
## Summary

It turns out that `normalize_path` (sourced from Cargo) has a subtle
bug. If you pass it a relative path that traverses beyond the root, it
silently drops components. So, e.g., passing `../foo/bar`, it will just
drop the leading `..` and return `foo/bar`.

This PR encodes that behavior as a `Result` and avoids using it in such
cases.

Closes https://github.com/astral-sh/uv/issues/3012.
 2024-04-12 14:48:03 -04:00
konsti d2da575c41
Log hardlink failures (#3015) 
Inspired by https://github.com/astral-sh/uv/issues/2964, we now properly
log hardlink failures, e.g. when the cache is a docker container but the
venv is in a bind mount, e.g.:

```
DEBUG Failed to hardlink `/code/venv/uv/lib/python3.12/site-packages/asgiref-3.8.1.dist-info/WHEEL` to `/root/.cache/uv/archive-v0/nnpkKgUoM3LMxcNDmEKJQ/asgiref-3.8.1.dist-info/WHEEL`, attempting to copy files as a fallback
```
 2024-04-12 15:06:38 +00:00
Charlie Marsh f61b97e6ba
Split Clap arguments into separate module (#3008) 
## Summary

I don't know if this is a good change, but `main.rs` is really large.
This just moves all the Clap arguments into their own `cli.rs` module.
 2024-04-12 09:37:51 -04:00
konsti 7f70849e3c
Support freethreading python (#2805) 
freethreaded python reintroduces abiflags since it is incompatible with
regular native modules and abi3.

Tests: None yet! We're lacking cpython 3.13 no-gil builds we can use in
ci.

My test setup:

```
PYTHON_CONFIGURE_OPTS="--enable-shared --disable-gil" pyenv install 3.13.0a5
cargo run -q -- venv -q -p python3.13 .venv3.13 --no-cache-dir && cargo run -q -- pip install -v psutil --no-cache-dir && .venv3.13/bin/python -c "import psutil"
```

Fixes #2429
 2024-04-12 09:39:47 +00:00
Charlie Marsh 3df8df656b
Replace `unwrap` with `?` in hash generation (#3003) 
And add tests to catch it.
 2024-04-12 00:41:08 +00:00
Charlie Marsh 8507ba872f
Remove unnecessary hashing from IDs (#2998) 
## Summary

In all of these ID types, we pass values to `cache_key::digest` prior to
passing to `DistributionId` or `ResourceId`. The `DistributionId` and
`ResourceId` are then hashed later, since they're used as keys in hash
maps.

It seems wasteful to hash the value, then hash the hashed value? So this
PR modifies those structs to be enums that can take one of a fixed set
of types.
 2024-04-11 17:23:37 -04:00
Charlie Marsh a71bd60238
Allow unnamed requirements for overrides (#2999) 
## Summary

This PR lifts a constraint by allowing unnamed requirements in
`overrides.txt` files.
 2024-04-11 17:19:11 -04:00
Charlie Marsh 0d62e62fb7
Make hash-checking failure mode stricter and safer (#2997) 
## Summary

If there are no hashes for a given package, we now return
`Validate(&[])` so that the policy is impossible to satisfy. Previously,
we returned `None`, which is always satisfied.

We don't really ever expect to hit this, because we detect this case in
the resolver and raise a different error. But if we have a bug
somewhere, it's better to fail with an error than silently let the
package through.
 2024-04-11 17:53:34 +00:00
Charlie Marsh 9d5467dc2f
Remove outdated comment on `IndexLocations` (#2996) 
Closes https://github.com/astral-sh/uv/issues/2990.
 2024-04-11 17:31:34 +00:00
Charlie Marsh d03e9f2b8c
Add `UV_BREAK_SYSTEM_PACKAGES` environment variable (#2995) 
## Summary

Requested here: https://github.com/astral-sh/uv/issues/2988. Seems
reasonable to me given that pip supports it and we already have
`UV_SYSTEM_PYTHON`.

Closes https://github.com/astral-sh/uv/issues/2988
 2024-04-11 15:58:00 +00:00
Charlie Marsh 8e5a40e33c
Add additional coverage for `--require-hashes` in `install` (#2994) 2024-04-11 11:42:59 -04:00
Charlie Marsh 96c3c2e774
Support unnamed requirements in `--require-hashes` (#2993) 
## Summary

This PR enables `--require-hashes` with unnamed requirements. The key
change is that `PackageId` becomes `VersionId` (since it refers to a
package at a specific version), and the new `PackageId` consists of
_either_ a package name _or_ a URL. The hashes are keyed by `PackageId`,
so we can generate the `RequiredHashes` before we have names for all
packages, and enforce them throughout.

Closes #2979.
 2024-04-11 11:26:50 -04:00
Charlie Marsh d56d142520
Add a few more `--generate-hashes` cases to compile tests (#2992) 2024-04-11 14:16:05 +00:00
konsti 6e06760591
Silence lint false positive (#2989) 
When running the `uv-client` tests, i would previously get:

```
warning: field `0` is never read
  --> crates/uv-configuration/src/config_settings.rs:43:27
   |
43 | pub struct ConfigSettings(BTreeMap<String, ConfigSettingValue>);
   |            -------------- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   |            |
   |            field in this struct
   |
   = note: `ConfigSettings` has derived impls for the traits `Clone` and `Debug`, but these are intentionally ignored during dead code analysis
   = note: `#[warn(dead_code)]` on by default
help: consider changing the field to be of unit type to suppress this warning while preserving the field numbering, or remove the field
   |
43 | pub struct ConfigSettings(());
   |                           ~~

warning: `uv-configuration` (lib) generated 1 warning
```
 2024-04-11 09:45:50 +00:00
samypr100 7c7f06f62b
feat: convert linehaul tests to use snapshots (#2923) 
<!--
Thank you for contributing to uv! To help us out with reviewing, please
consider the following:

- Does this pull request include a summary of the change? (See below.)
- Does this pull request include a descriptive title?
- Does this pull request include references to any relevant issues?
-->

## Summary

Closes #2564

## Test Plan

1. Changed existing linehaul tests to leverage insta.
2. Ran tests in various linux distros (Debian, Ubuntu, Centos, Fedora,
Alpine) to ensure they also pass locally again.

---------

Co-authored-by: konstin <konstin@mailbox.org>
 2024-04-11 09:41:09 +00:00
konsti c85c52d4ce
Unify packse find links urls (#2969) 
The sync scenarios script is broken, so i did the updates manually

```
$ ./scripts/sync_scenarios.sh
Setting up a temporary environment...
Using Python 3.12.1 interpreter at: /home/konsti/projects/uv/.venv/bin/python3
Creating virtualenv at: .venv
Activate with: source .venv/bin/activate
  × No solution found when resolving dependencies:
  ╰─▶ Because docutils==0.21.post1 is unusable because the package metadata was inconsistent and you require docutils==0.21.post1, we can conclude that the requirements are unsatisfiable.

      hint: Metadata for docutils==0.21.post1 was inconsistent:
        Package metadata version `0.21` does not match given version `0.21.post1`
```

---------

Co-authored-by: Zanie Blue <contact@zanie.dev>
 2024-04-11 08:35:22 +00:00
Charlie Marsh 5f59e30106
Remove editable field from `RequirementEntry` (#2987) 
## Summary

It turns out this isn't used? We have a separate `EditableRequirement`.
 2024-04-11 04:55:41 +00:00
Charlie Marsh 3dd673677a
Add `--find-links` source distributions to the registry cache (#2986) 
## Summary

Source distributions in `--find-links` are now properly picked up in the
cache.

Closes https://github.com/astral-sh/uv/issues/2978.
 2024-04-11 01:25:58 +00:00
Charlie Marsh 32f129c245
Store IDs rather than paths in the cache (#2985) 
## Summary

Similar to `Revision`, we now store IDs in the `Archive` entires rather
than absolute paths. This makes the cache robust to moves, etc.

Closes https://github.com/astral-sh/uv/issues/2908.
 2024-04-10 21:07:51 -04:00
Charlie Marsh c294c7098f
Remove unnecessary `touch` calls from tests (#2981) 
You only need to `touch` if you don't end up writing to the file.
 2024-04-10 22:00:51 +00:00
Charlie Marsh 5583b90c30
Create dedicated abstractions for `.rev` and `.http` pointers (#2977) 
## Summary

This PR formalizes some of the concepts we use in the cache for
"pointers to things".

In the wheel cache, we have files like
`annotated_types-0.6.0-py3-none-any.http`. This represents an unzipped
wheel, cached alongside an HTTP caching policy. We now have a struct for
this to encapsulate the logic: `HttpArchivePointer`.

Similarly, we have files like `annotated_types-0.6.0-py3-none-any.rev`.
This represents an unzipped local wheel, alongside with a timestamp. We
now have a struct for this to encapsulate the logic:
`LocalArchivePointer`.

We have similar structs for source distributions too.
 2024-04-10 17:30:27 -04:00
Charlie Marsh 006379c50c
Add support for URL requirements in `--generate-hashes` (#2952) 
## Summary

This PR enables hash generation for URL requirements when the user
provides `--generate-hashes` to `pip compile`. While we include the
hashes from the registry already, today, we omit hashes for URLs.

To power hash generation, we introduce a `HashPolicy` abstraction:

```rust
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum HashPolicy<'a> {
    /// No hash policy is specified.
    None,
    /// Hashes should be generated (specifically, a SHA-256 hash), but not validated.
    Generate,
    /// Hashes should be validated against a pre-defined list of hashes. If necessary, hashes should
    /// be generated so as to ensure that the archive is valid.
    Validate(&'a [HashDigest]),
}
```

All of the methods on the distribution database now accept this policy,
instead of accepting `&'a [HashDigest]`.

Closes #2378.
 2024-04-10 20:02:45 +00:00
Charlie Marsh 8513d603b4
Return computed hashes from metadata requests (#2951) 
## Summary

This PR modifies the distribution database to return both the
`Metadata23` and the computed hashes when clients request metadata.

No behavior changes, but this will be necessary to power
`--generate-hashes`.
 2024-04-10 19:31:41 +00:00
Charlie Marsh c18551fd3c
Fall back to distributions without hashes in resolver (#2949) 
## Summary

This represents a change to `--require-hashes` in the event that we
don't find a matching hash from the registry. The behavior in this PR is
closer to pip's.

Prior to this PR, if a distribution had no reported hash, or only
mismatched hashes, we would mark it as incompatible. Now, we mark it as
compatible, but we use the hash-agreement as part of the ordering, such
that we prefer any distribution with a matching hash, then any
distribution with no hash, then any distribution with a mismatched hash.

As a result, if an index reports incorrect hashes, but the user provides
the correct one, resolution now succeeds, where it would've failed.

Similarly, if an index omits hashes altogether, but the user provides
the correct one, resolution now succeeds, where it would've failed.

If we end up picking a distribution whose hash ultimately doesn't match,
we'll reject it later, after resolution.
 2024-04-10 19:19:47 +00:00
Charlie Marsh 1f3b5bb093
Add hash-checking support to `install` and `sync` (#2945) 
## Summary

This PR adds support for hash-checking mode in `pip install` and `pip
sync`. It's a large change, both in terms of the size of the diff and
the modifications in behavior, but it's also one that's hard to merge in
pieces (at least, with any test coverage) since it needs to work
end-to-end to be useful and testable.

Here are some of the most important highlights:

- We store hashes in the cache. Where we previously stored pointers to
unzipped wheels in the `archives` directory, we now store pointers with
a set of known hashes. So every pointer to an unzipped wheel also
includes its known hashes.
- By default, we don't compute any hashes. If the user runs with
`--require-hashes`, and the cache doesn't contain those hashes, we
invalidate the cache, redownload the wheel, and compute the hashes as we
go. For users that don't run with `--require-hashes`, there will be no
change in performance. For users that _do_, the only change will be if
they don't run with `--generate-hashes` -- then they may see some
repeated work between resolution and installation, if they use `pip
compile` then `pip sync`.
- Many of the distribution types now include a `hashes` field, like
`CachedDist` and `LocalWheel`.
- Our behavior is similar to pip, in that we enforce hashes when pulling
any remote distributions, and when pulling from our own cache. Like pip,
though, we _don't_ enforce hashes if a distribution is _already_
installed.
- Hash validity is enforced in a few different places:
1. During resolution, we enforce hash validity based on the hashes
reported by the registry. If we need to access a source distribution,
though, we then enforce hash validity at that point too, prior to
running any untrusted code. (This is enforced in the distribution
database.)
2. In the install plan, we _only_ add cached distributions that have
matching hashes. If a cached distribution is missing any hashes, or the
hashes don't match, we don't return them from the install plan.
3. In the downloader, we _only_ return distributions with matching
hashes.
4. The final combination of "things we install" are: (1) the wheels from
the cache, and (2) the downloaded wheels. So this ensures that we never
install any mismatching distributions.
- Like pip, if `--require-hashes` is provided, we require that _all_
distributions are pinned with either `==` or a direct URL. We also
require that _all_ distributions have hashes.

There are a few notable TODOs:

- We don't support hash-checking mode for unnamed requirements. These
should be _somewhat_ rare, though? Since `pip compile` never outputs
unnamed requirements. I can fix this, it's just some additional work.
- We don't automatically enable `--require-hashes` with a hash exists in
the requirements file. We require `--require-hashes`.

Closes #474.

## Test Plan

I'd like to add some tests for registries that report incorrect hashes,
but otherwise: `cargo test`
 2024-04-10 19:09:03 +00:00
Charlie Marsh 715a309dd5
Remove unused `--output-file` from `pip install` (#2975) 
## Summary

This doesn't do anything. I suspect it was a copy-paste error.
 2024-04-10 14:58:34 -04:00
Charlie Marsh ddf02e7d5f
Remove unused `task-local-extensions` dependency (#2974) 
## Summary

Made obsolete with the `reqwest` upgrade.
 2024-04-10 14:56:39 -04:00
Charlie Marsh 48ba7df98a
Move `FlatIndex` into the `uv-resolver` crate (#2972) 
## Summary

This lets us remove circular dependencies (in the future, e.g., #2945)
that arise from `FlatIndex` needing a bunch of resolver-specific
abstractions (like incompatibilities, required hashes, etc.) that aren't
necessary to _fetch_ the flat index entries.
 2024-04-10 14:38:42 -04:00
Charlie Marsh a9d554fa90
Add a `--require-hashes` command-line setting (#2824) 
## Summary

I'll likely only merge this once the PR chain is further along, but this
PR wires up the setting fro the CLI.
 2024-04-10 14:07:03 -04:00