Private repository as a source

[NevoleMarek]

Hi, I d'like to transition from poetry to uv. What I am missing is a way of using private repositories as source for packages.

Poetry allows to add private repositories like so:

poetry source add --priority=supplemental foo https://pypi.example.org/simple/

and then to install package from the repository like so:

poetry add --source foo private-package

Can this be sensibly done using uv?

I guess it could somehow be done via HTTP URLs but that seems a bit cumbersome.

[charliermarsh]

So, today, you would do something like this in your pyproject.toml:

[tool.uv]
extra-index-url = ["https://pypi.example.org/simple/"]

uv will then look in https://pypi.example.org/simple/ before looking in PyPI, and if a package exists on that index, it won't check PyPI at all.

We'll likely add a more granular index API in the future that looks more like what you get in Poetry, PDM, or Rye.

[charliermarsh]

If you want to replace PyPI entirely, you can do:

[tool.uv]
index-url = "https://pypi.example.org/simple/"

[charliermarsh]

Alternatively, you can define these globally in ~/.config/uv/uv.toml:

extra-index-url = ["https://pypi.example.org/simple/"]

[NevoleMarek]

Thanks for the response

I guess the setting extra-index-url with index-strategy = "first-index" will do for now.

Looking forward to more granular API in the future.

One thing I would like to prevent via the future API is dependency confusion attacks.

[charliermarsh]

Makes sense. Our default strategy is more resilient to such attacks than pip (since, if a package exists on your index, we won't even look at PyPI, even if a more recent version is available there), but we do want to add an API that allows for explicit package-to-index assignments.

[rafalkrupinski]

Regarding private source repository, is there a way to provide credentials?

[NevoleMarek]

The simplest way would be to add the private source repo as extra-index-url already with the credentials as follows:

[tool.uv]
extra-index-url = ["https://<username>:<password>@<index_url>"]

But as you can imagine this not the safest option. A bit more cumbersome but viable option is to specify the index and credentials with the uv add command and environment variables.

uv add package --extra-index-url https://${USERNAME}:${PASSWORD}@<index_url>

What I would like to see in the future is something similar to Poetry's way of doing this.

In addition to simple addition of sources they also provide the following way to add credentials to the sources.

poetry config http-basic.your_index <username> <password> find more here

There are other options that uv recommends for http authentication but they are not the simplest either or maybe I am missing something

[rafalkrupinski]

@NevoleMarek thanks, I'll check it out!

[zanieb]

See also:

• Add support for defining credentials for uv in an environment variable #6389
• Add support for pinning a package to a specific index #171

[rafalkrupinski]

Actually I like the idea of using keyring and KWallet integration. Way better than storing passwords in open text.

[yohann84L]

Still no alternative to the poetry config http-basic.your_index <username> <password> ?

[zanieb]

We support UV_INDEX_<NAME>_USERNAME and UV_INDEX_<NAME>_PASSWORD now in addition to indexes in source definitions.