Poetry 1.5: export command does not include --extra-index-url and --trusted-host for explicit sources

[shiumachi]

• Poetry version: 1.5.0
• Python version:3.10.6
• OS version and name: Ubuntu 22.04.2 LTS
• pyproject.toml: https://gist.github.com/shiumachi/01ce37f527818e513f18ece4b3a01ecc

• I am on the latest stable Poetry version, installed using a recommended method.
• I have searched the issues of this repo and believe that this is not a duplicate.
• I have consulted the FAQ and blog for any relevant entries or release notes.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

I have encountered an issue while using the poetry export command when specifying an explicit source. The command does not seem to export the --extra-index-url and --trusted-host as expected. This affects projects relying on these sources and may require manual adjustments in the generated requirements file.

To reproduce the issue, please follow these steps:

Reproduction Steps
Set up the environment with Poetry 1.5 and a local pypiserver running on port 8080 with a wheel file (in this example, a black wheel file) placed in the packages directory.
Run the command poetry export --without-hashes.

Actual Output

black==23.3.0 ; python_version >= "3.10" and python_version < "4.0"
click==8.1.3 ; python_version >= "3.10" and python_version < "4.0"
colorama==0.4.6 ; python_version >= "3.10" and python_version < "4.0" and platform_system == "Windows"
mypy-extensions==1.0.0 ; python_version >= "3.10" and python_version < "4.0"
packaging==23.1 ; python_version >= "3.10" and python_version < "4.0"
pathspec==0.11.1 ; python_version >= "3.10" and python_version < "4.0"
platformdirs==3.5.1 ; python_version >= "3.10" and python_version < "4.0"
tomli==2.0.1 ; python_version >= "3.10" and python_version < "3.11"

Expected Output

--trusted-host localhost:8080
--extra-index-url http://localhost:8080

black==23.3.0 ; python_version >= "3.10" and python_version < "4.0"
click==8.1.3 ; python_version >= "3.10" and python_version < "4.0"
colorama==0.4.6 ; python_version >= "3.10" and python_version < "4.0" and platform_system == "Windows"
mypy-extensions==1.0.0 ; python_version >= "3.10" and python_version < "4.0"
packaging==23.1 ; python_version >= "3.10" and python_version < "4.0"
pathspec==0.11.1 ; python_version >= "3.10" and python_version < "4.0"
platformdirs==3.5.1 ; python_version >= "3.10" and python_version < "4.0"
tomli==2.0.1

Investigation

Upon investigating the issue, I found that in the poetry-plugin-export, the Exporter class calls the RepositoryPool.repositories property from the main poetry repository to fetch all repository information:

repositories = [
    r
    for r in self._poetry.pool.repositories
    if isinstance(r, HTTPRepository) and r.url == index.rstrip("/")
]

(Source: https://github.com/python-poetry/poetry-plugin-export/blob/main/src/poetry_plugin_export/exporter.py#L174-L178)

However, in poetry 1.5.0, the repositories property excludes the explicit repository for the sake of backward compatibility:

@property
def repositories(self) -> list[Repository]:
    """
    Returns the repositories in the pool,
    in the order they will be searched for packages.

    ATTENTION: For backwards compatibility and practical reasons,
               repositories with priority EXPLICIT are NOT included,
               because they will not be searched.
    """
    sorted_repositories = self._sorted_repositories
    return [
        prio_repo.repository
        for prio_repo in sorted_repositories
        if prio_repo.priority is not Priority.EXPLICIT
    ]

(Source: https://github.com/python-poetry/poetry/blob/master/src/poetry/repositories/repository_pool.py#L62-L77)

Possible Solution

One possible solution would be to use the all_repositories property instead of repositories:

@property
def all_repositories(self) -> list[Repository]:
    return [prio_repo.repository for prio_repo in self._sorted_repositories]

(Source: https://github.com/python-poetry/poetry/blob/master/src/poetry/repositories/repository_pool.py#L79-L81)

To maintain compatibility and flexibility for users who may not want to include the explicit repository, another approach could be to add an --with-explicit-repository option to the poetry export command.

I've been examining this issue closely and I'd like to take the next step by working on a pull request to solve it. I believe the potential solutions we discussed above are a good starting point, though I haven't started writing the code just yet.

I'm open to any additional guidance or suggestions before I start with the implementation. Once I have written the code and ensured it doesn't disrupt existing functionality or introduce new security concerns, I'll submit the pull request.

I appreciate your support and I'm looking forward to contributing to the resolution of this issue.

[radoering]

Using all_repositories instead of repositories sounds good. IMO, it does not make sense to add an option because you will always need to consider explicit repositories. For pip all repositories are equal.

[shiumachi]

Thanks for your quick response. I agree with your perspective on using all_repositories and not needing an additional option. I will prepare a pull request implementing this approach shortly.