-
Notifications
You must be signed in to change notification settings - Fork 628
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expand environment variables in user-provided index URLs #5734
Comments
It looks like pip does not support either of these. |
Poetry does not support the latter: python-poetry/poetry#208 |
Rust does not support this but the issue is not closed: rust-lang/cargo#10789 |
I am not strictly opposed to it but we should get some more opinions (\cc @zanieb @BurntSushi @konstin). |
PDM supports this: Store credentials with the index, Local dependencies |
Hatch also supports this: Context formatting |
I looked around Poetry's document and found this https://python-poetry.org/docs/configuration/#http-basicnameusernamepassword . |
I know I'm not a maintainer of uv, but I strongly suggest that if environment lookups were added that they be opt-in. I've heard of things going very bad security wise from environment variables. |
Can you share more details or examples please @CoolCat467? |
Something like |
Cargo has https://doc.rust-lang.org/cargo/reference/config.html#env Might not directly related but there's also https://doc.rust-lang.org/cargo/reference/config.html#credentials. |
Related: #5119 |
Currently One of the strengths of environment variables is avoiding version control. Most VCSs support masking environment variables from job/log output when expanded. See GitLab and GitHub docs. They aren’t 100% foolproof. I think there’s a tradeoff between flexibility and security. |
I think I would personally find it very surprising if an environment variable got expanded here. Basically, if I'm running a Unix shell command and I use single quotes, I have a very strong prior that the string is interpreted literally with no interpolation.
👍 on this (including that env vars are maybe not the best solution to this specific problem), but having an explicit |
I'm currently looking at using uv instead of pipenv for our projects, and env var expansion is something we use with pipenv and our AWS CodeArtifact repo. Not having this makes things a bit more complicated to use uv (i.e. we can't easily specify in the pyproject.toml file where the packages are located without constant updates since the index url contains the auth and it's only good for a limited time). I'm not sure I understand the concern around env var expansion within a url for this use-case, though. |
Right now, we only support expansion (1) by the shell (of course) and (2) in requirements files. But the following don't expand:
cargo run pip install flask --index-url 'https://${PYPI_USERNAME}.com/repository/pypi-proxy/simple/flask/'
uv.toml
orpyproject.toml
fileThe text was updated successfully, but these errors were encountered: