uv icon indicating copy to clipboard operation
uv copied to clipboard

Published 20 hours ago verified publisher icon astral-sh

Index URL options do not parse "space separated" URLs as multiple options

Open zanieb opened this issue 1 year ago • 3 comments

e.g. via UV_EXTRA_INDEX_URL or --extra-index-url if you pass https://foo/ https://bar we will treat this as a single URL but it should be split into two.

It's unclear if space separated URLs are the best option. It seems brittle to split the input.

Originally posted in https://github.com/astral-sh/uv/issues/1688#issue-2142265255

zanieb avatar Feb 19 '24 16:02 zanieb

I will again remind users that specifying multiple non-mirror indexes with no guarantee of which index is being sourced for any given package is a real security issue.

E.g. https://pytorch.org/blog/compromised-nightly-dependency/

notatallshaw avatar Feb 19 '24 16:02 notatallshaw

I'm the original reporter in #1688 . I don't know if UV_EXTRA_INDEX_URL is correct? I hope it will work with PIP_EXTRA_INDEX_URL for drop in replacement of uv with pip.

Very much looking forward to this fix. This seems to be the last bit holding me back from using uv in our pipelines. Thanks.

MarcSkovMadsen avatar Feb 23 '24 01:02 MarcSkovMadsen

I think they do just split on a space: https://github.com/pypa/pip/blob/f4a543917eac822a3b06ab0fcc4df7c4e37e387a/src/pip/_internal/cli/parser.py#L249 and https://github.com/pypa/pip/issues/10374.

charliermarsh avatar Feb 26 '24 01:02 charliermarsh