-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Breaking change in Warehouse breaks poetry lock file creation #5970
Comments
I can confirm that this issue is also affecting Poetry 1.1.13 as it is taking down all of our builds. |
👍 We're seeing the same with Poetry 1.1.8 |
I suspect a lot of people are about to learn a hard lesson about the dangers of relying on public repositories.... diff --git a/src/poetry/repositories/pypi_repository.py b/src/poetry/repositories/pypi_repository.py
index 0e5beab6..142b29d8 100644
--- a/src/poetry/repositories/pypi_repository.py
+++ b/src/poetry/repositories/pypi_repository.py
@@ -204,7 +204,7 @@ class PyPiRepository(HTTPRepository):
)
try:
- version_info = json_data["releases"][version]
+ version_info = json_data["urls"]
except KeyError:
version_info = [] looks like it should fix things on master. |
#5972 draft for now, because there may be other places where Also backported the change for 1.1 in /~https://github.com/mkniewallner/poetry/commits/fix/fix-releases-key-pypi-repository-1.1 |
Thanks a lot everyone for reporting, debugging and starting a PR 👍 Will have a look at your PR @mkniewallner |
Resolves #6076 I've taken the JSON version of the simple API and converted it into a `LinkSource` so that the package-finding logic in the `PyPiRepository` is very similar to - but annoyingly not quite the same as! - the `LegacyRepository`. I've also taken the opportunity to refactor the `LegacyRepository` ever so slightly to emphasise that similarity. I think I've probably fixed a small bug re caching and pre-releases: previously the processing for ignored pre-releases was skipped when reading from the cache. I believe this change will tend to be a modest performance hit. Eg consider a package like `cryptography`, for which there are maybe a couple of dozen downloads available at each release: to get the available versions we now have to iterate over each of those files and parse their names, rather than simply reading the answer. However if the API that poetry currently uses is truly deprecated I see little choice but to suck that up - or risk being in an awkward spot when it is turned off. cf #5970, but worse. Most of the changes are in the test fixtures: - unversioned fixtures were generated from the existing fixtures: I didn't want to download fresh data and start getting different answers than the tests were expecting - new versioned fixtures were downloaded fresh
Resolves #6076 I've taken the JSON version of the simple API and converted it into a `LinkSource` so that the package-finding logic in the `PyPiRepository` is very similar to - but annoyingly not quite the same as! - the `LegacyRepository`. I've also taken the opportunity to refactor the `LegacyRepository` ever so slightly to emphasise that similarity. I think I've probably fixed a small bug re caching and pre-releases: previously the processing for ignored pre-releases was skipped when reading from the cache. I believe this change will tend to be a modest performance hit. Eg consider a package like `cryptography`, for which there are maybe a couple of dozen downloads available at each release: to get the available versions we now have to iterate over each of those files and parse their names, rather than simply reading the answer. However if the API that poetry currently uses is truly deprecated I see little choice but to suck that up - or risk being in an awkward spot when it is turned off. cf #5970, but worse. Most of the changes are in the test fixtures: - unversioned fixtures were generated from the existing fixtures: I didn't want to download fresh data and start getting different answers than the tests were expecting - new versioned fixtures were downloaded fresh (cherry picked from commit b61a4dd)
Resolves #6076 I've taken the JSON version of the simple API and converted it into a `LinkSource` so that the package-finding logic in the `PyPiRepository` is very similar to - but annoyingly not quite the same as! - the `LegacyRepository`. I've also taken the opportunity to refactor the `LegacyRepository` ever so slightly to emphasise that similarity. I think I've probably fixed a small bug re caching and pre-releases: previously the processing for ignored pre-releases was skipped when reading from the cache. I believe this change will tend to be a modest performance hit. Eg consider a package like `cryptography`, for which there are maybe a couple of dozen downloads available at each release: to get the available versions we now have to iterate over each of those files and parse their names, rather than simply reading the answer. However if the API that poetry currently uses is truly deprecated I see little choice but to suck that up - or risk being in an awkward spot when it is turned off. cf #5970, but worse. Most of the changes are in the test fixtures: - unversioned fixtures were generated from the existing fixtures: I didn't want to download fresh data and start getting different answers than the tests were expecting - new versioned fixtures were downloaded fresh (cherry picked from commit b61a4dd)
It seems that Poetry 1.2.2 fixed it but 1.3.1 is back with the same issue, any idea why? |
@Natim: Please open a new issue with steps to reproduce if you encounter any problems (I don't have any). |
We haven't encountered this issue on Poetry 1.3.1 either. |
Sorry, you are both right, the issue is not related, the poetry.lock file structure changed in between 1.2.2 and 1.3.1 which made disappear the metadata section, but the hashes are correctly computed in the package file section in 1.3.1. |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
-vvv
option).Issue
The warehouse project (backend of pypi.org) applied a breaking change that affects
poetry lock
thereleases
key is no longer present in the responses, required for the pypi_repository implementation.It can be easily verified by removing the local cache and inspecting the generated lock file, it would have an empty
metadata.files
property, something like:The text was updated successfully, but these errors were encountered: