uv index feature will leak credentials to uv.lock

[inoa-jboliveira]

Hi,

Maybe I am doing things wrong, but is there a way to use the new index feature without it sending credentials to uv lock?

E.g.: With something like this

[[tool.uv.index]]
name = "ixname"
url = "https://user:[email protected]/repository/hosted/simple/"

[tool.uv.sources]
mypackage = { index = "ixname" }

I will get the user and password on the index name on uv.toml

{ name = "mypackage", specifier = "==5.4.1", index = "https://user:[email protected]/repository/hosted/simple/" },

Notice this won't happen to the URL portion, which remains the same after using the new syntax

{ url = "https://mynexusrepo.example.com/repository/hosted/packages/mypackage/5.4.1/...", hash = "sha256:..." }

[charliermarsh]

Thanks, that's my mistake.

[inoa-jboliveira]

Hi @charliermarsh
Thank you for looking into it.
I did try uv 0.4.24 and I get the exact same result.

I believe the credentials should not be added to this portion of the uv lock file.

{ name = "mypackage", specifier = "==5.4.1", index = "https://user:[email protected]/repository/hosted/simple/" },

That's why I asked if I am doing something wrong. I tend to have the credentials on dev environment, but then I can supply uv.lock as is (which didn't have credentials on it before) and the client credentials would be different for each one and passed more securely in an env variable, not on the file.

[inoa-jboliveira]

BTW, I dislike env variables for dev environments because there is no easy cross platform way of making sure all our devs have the same env variables on bash/zsh/powershell/cmd. We end up hooking the virtualenv activate process, but it doesn't work all the time and it would be nice to only use config or dotenv files, if uv could read them.

That being said, would there be a way of passing these credentials other than it be stored on uv.lock, even if by env variables such

UV_INDEX_CREDENTIALS_IXNAME=foo:bar ?

[charliermarsh]

Just to confirm, did you remove the uv.lock before locking?

[charliermarsh]

The second thing you're describing should already be supported: https://docs.astral.sh/uv/configuration/indexes/#providing-credentials

[inoa-jboliveira]

Hi @charliermarsh

Here is a reproductible

$ uv version
uv 0.4.24
$ cat pyproject.toml
[project]
name = "foo"
version = "0.1.0"
requires-python = ">=3.9"
dependencies = [
    "requests>=2.32.3",
]

[[tool.uv.index]]
name = "myindex"
url = "https://redacted:redacted@redacted/repository/pypi-all/simple/"
default = true

[tool.uv.sources]
requests = { index = "myindex" }

$ rm -rf uv.lock
$ uv lock
Resolved 6 packages in 4ms

$ git diff uv.lock
diff --git a/uv.lock b/uv.lock
index 002c212..274dc3d 100644
--- a/uv.lock
+++ b/uv.lock
@@ -103,7 +103,7 @@ dependencies = [
 ]

 [package.metadata]
-requires-dist = [{ name = "requests", specifier = ">=2.32.3" }]
+requires-dist = [{ name = "requests", specifier = ">=2.32.3", index = "https://redacted:redacted@redacted/repository/pypi-all/simple/" }]

The key here is adding:

[tool.uv.sources]
requests = { index = "myindex" }

I did a commit before it and one after adding it which is why the difference shows on git diff

[inoa-jboliveira]

The second thing you're describing should already be supported: https://docs.astral.sh/uv/configuration/indexes/#providing-credentials

Very cool! I see a typo here:

url = "https://public:koala@https://pypi-proxy.corp.dev/simple"

There is a 2nd https:// in the middle of the url

[charliermarsh]

Oops, thank you.

(I'll try that repro in a bit.)

[charliermarsh]

Ok looks like I missed something here. Will fix.

[charliermarsh]

Embarrassingly I had tests for this but the tests had the wrong assertion: #8333