poetry check does not consider the package source

[lucemia]

• I have searched the issues of this repo and believe that this is not a duplicate.
• I have searched the FAQ and general documentation and believe that my question is not already covered.

Feature Request

It would be excellent if poetry check could encompass common errors? when defining package sources.

Source is undefined

• if there is a package point to not existing source

[tool.poetry]
name = "PythonProjects"
version = "2.0.0"
homepage = "https://github.com/roghu/py3_projects"
license = "MIT"
readme = "README.md"
authors = ["Dependabot <support@dependabot.com>"]
description = "Various small python projects."

[tool.poetry.dependencies]
python = "^3.7"
requests = { version = "2.18.0", source = "custom-1" }

[[tool.poetry.source]]
name = "custom"
url = "https://some.internal.registry.com/pypi/"

• poetry install will failed directly

(pythonprojects-py3.11) ➜  dependabot-source-constraint git:(main) ✗ poetry install
Warning: In a future version of Poetry, PyPI will be disabled automatically if at least one custom primary source is configured. In order to avoid a breaking change and make your pyproject.toml forward compatible, add PyPI explicitly via 'poetry source add pypi'. By the way, this has the advantage that you can set the priority of PyPI as with any other source.
Updating dependencies
Resolving dependencies... (0.0s)

Repository "custom-1" does not exist.

Package's source is not consistence

• The behavior is undefined when a package is defined with different source configurations.

[tool.poetry]
name = "PythonProjects"
version = "2.0.0"
homepage = "https://github.com/roghu/py3_projects"
license = "MIT"
readme = "README.md"
authors = ["Dependabot <support@dependabot.com>"]
description = "Various small python projects."


[tool.poetry.dependencies]
python = "^3.7"

requests = { version = "2.18.0", source = "custom-2" }
[tool.poetry.group.dev]
optional = true

[tool.poetry.group.dev.dependencies]
requests = { version = "2.18.0", extras=["dev"], source = "custom-3" }

[tool.poetry.group.test]
optional = true

[tool.poetry.group.test.dependencies]
requests = { version = "2.18.0", extras=["test"], source = "custom-1" }
 

[[tool.poetry.source]]
name = "custom-1"
url = "https://some.internal.registry-1.com/pypi/"

[[tool.poetry.source]]
name = "custom-2"
url = "https://some.internal.registry-2.com/pypi/"

• Currently, Poetry selects only one source.
• It appears that Poetry selects the source that is not in the default group and appears last in the pyproject.toml file.

(pythonprojects-py3.11) ➜  dependabot-source-constraint git:(main) ✗ poetry install -vvv
Adding repository custom-1 (https://some.internal.registry-1.com/pypi) and setting it as primary
Adding repository custom-2 (https://some.internal.registry-2.com/pypi) and setting it as primary
Warning: In a future version of Poetry, PyPI will be disabled automatically if at least one custom primary source is configured. In order to avoid a breaking change and make your pyproject.toml forward compatible, add PyPI explicitly via 'poetry source add pypi'. By the way, this has the advantage that you can set the priority of PyPI as with any other source.
Using virtualenv: /Users/davidchen/repo/dependabot-source-constraint/.venv
Updating dependencies
Resolving dependencies...
   1: fact: pythonprojects is 2.0.0
   1: derived: pythonprojects
   1: fact: pythonprojects depends on requests (2.18.0)
   1: fact: pythonprojects depends on requests (2.18.0)
   1: fact: pythonprojects depends on requests (2.18.0)
   1: selecting pythonprojects (2.0.0)
   1: derived: requests[test] (==2.18.0)
   1: derived: requests[dev] (==2.18.0)
   1: derived: requests (==2.18.0)
[keyring.backend] Loading KWallet
[keyring.backend] Loading SecretService
[keyring.backend] Loading Windows
[keyring.backend] Loading chainer
[keyring.backend] Loading libsecret
[keyring.backend] Loading macOS
[keyring.backend] Loading Google Auth
Creating new session for some.internal.registry-1.com
[urllib3.connectionpool] Starting new HTTPS connection (1): some.internal.registry-1.com:443

[dimbleby]

It would be excellent if poetry check could encompass common errors? when defining package sources.

Are these common errors? Since the first one in particular will fail, with a sensible error message, as soon as you try to do anything anyway - I don't know that an explicit addition to poetry check brings very much value.

Nevertheless if you would find either or both these checks useful: I expect a merge request would have every chance of succeeding.

[lucemia]

@dimbleby

You're correct; it's indeed not a common error. However, the inconsistency issue appears to be related to an undefined behavior in the pyproject.toml file. This inconsistency makes it challenging for other tools, such as Dependabot, to process the pyproject.toml file and align its behavior with Poetry.

By adding the ability to check for these kinds of errors in poetry check, it becomes possible to detect such issues during the pre-commit stage.

I have created a pull request (PR) and am hopeful that someone can take the time to provide feedback. Thank you!

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.