Greg Roodt

Agree. I actually meant to do this the other day. You do need it to grab scripts however... I think as a temporary worse found, this issue can be fixed...

Please consider dependency confusion attacks: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 Use of `--extra-index-url` as they are presently used are a security vulnerability. [PEP 708](https://peps.python.org/pep-0708/) is a yet-to-be-implemented approach to improving the security posture.

I am intentionally mentioning this comment because these 2 issues are related and can lead to significant security problems. https://github.com/astral-sh/uv/issues/171#issuecomment-1951663263

I don’t want to claim this as a general alternative to “—extra-index-url”, but it does often work for the common scenario of a single package on a different index. One...

Please consider dependency confusion attacks: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 Use of `--extra-index-url` as they are presently used are a security vulnerability. [PEP 708](https://peps.python.org/pep-0708/) is a yet-to-be-implemented approach to improving the security posture.

Makes sense. I think you may receive a lot of duplicate feature requests from the folks who do misuse `--extra-index-url` and who aren't aware that it is not currently intended...

There’s a small security warning in the pip docs [here](https://pip.pypa.io/en/stable/cli/pip_install/#examples) ` Using this option to search for packages which are not in the main repository (such as private packages) is...

@cosmicexplorer Do you know if the CI failures are expected?

Any reason this can't be merged?

Anything further required to merge this?