The Python Package Index

Related tags

warehouse
Overview

travis-badge

Warehouse

Warehouse is the software that powers PyPI. See our development roadmap, documentation, and architectural overview.

Getting Started

You can run Warehouse locally in a development environment using docker and docker-compose. See Getting started documentation for instructions on how to set it up.

The canonical deployment of Warehouse is in production at pypi.org.

Discussion

If you run into bugs, you can file them in our issue tracker.

You can also join the chat channels #pypa (general packaging discussion and user support) and #pypa-dev (discussion about development of packaging tools) on Freenode, or the distutils-sig mailing list, to ask questions or get involved.

Testing

Read the running tests and linters section of our documentation to learn how to test your code. For cross-browser testing, we use an open source account from BrowserStack. If your pull request makes any change to the user interface, it will need to be tested to confirm it works in our supported browsers.

BrowserStackImg

Code of Conduct

Everyone interacting in the Warehouse project's codebases, issue trackers, chat rooms, and mailing lists is expected to follow the PSF Code of Conduct.

Issues
  • Add support for API keys

    Add support for API keys

    A scary number of people embed their PyPI username and password in their Travis config (using Travis encrypted variables), to enable automatic releases for certain branches (Travis even has a guide for it).

    In addition, the packaging docs example encourages users to save their password in plaintext on disk in their .pypirc (they can of course use twine's password prompting, but I wonder how many read that far, rather than just copy the example verbatim?)

    Whilst in an ideal world credentials of any form wouldn't be saved unencrypted to disk (or given to a third-party such as Travis) and instead users prompted every time - I don't think this is realistic in practice.

    API keys would offer the following advantages:

    1. Higher-entropy credentials that are guaranteed to have not been reused on multiple sites.
    2. The ability to give the API key a smaller permissions scope than that of the owner's username/password. For example an API key would not be permitted to change a user's listed GPG key or in the future, their 2FA settings. Or an API key could be limited to a specific package.
    3. Since this would be separate from the existing username/password auth, a signing based approach (eg HMAC) could be used, without breaking older clients. This would ensure that if a connection was MiTMed (eg due to a protocol or client exploit), the API key itself would still remain secure.
    4. Eventually support could be dropped for the password field in .pypirc, leaving a much safer choice between password prompting every time, or creating an API key that could be saved to disk.
    5. If/when support is added for 2FA, users who need to automate PyPI uploads won't have to forgo 2FA for their whole account. They could instead choose to just create a 2FA-circumventing API key for just the one package that needs uploads in automation.

    Many thanks :-)

    (I've filed this against warehouse since I'm presuming this is beyond the scope of maintenance-only changes being made to the old PyPI codebase)

    feature request High priority APIs/feeds 
    opened by edmorley 70
  • Artifactory not compatible with new /simple file links.

    Artifactory not compatible with new /simple file links.

    We have an internal mirror of https://pypi.python.org that stopped working as the load testing started: https://status.python.org/incidents/0gmdf90kkt8n

    I am currently investigating and collecting logs to further report but would like to create an issue in case other people come across the same problem.

    If this turns-out to be my internal problem (I hope so!), my apologies in advance. I will update this issue as I have more information.

    opened by thiagofigueiro 57
  • How to update the

    How to update the "Description" in pypi.org ?

    In the old pypi.python.org, we can update the description by using edit or upload a pkg-info file. But now it is not support:

    Gone (This API has been deprecated and removed from legacy PyPI in favor of using the APIs available in the new PyPI.org implementation of PyPI (located at https://pypi.org/). For more information about migrating your use of this API to PyPI.org, please see https://packaging.python.org/guides/migrating-to-pypi-org/#uploading. For more information about the sunsetting of this API, please see https://mail.python.org/pipermail/distutils-sig/2017-June/030766.html)

    But in pypi.org, I cannot find any function to add or change the description of the package : https://pypi.org/project/lightgbm/

    I also tried to update it by using python setup.py register , but it failed: Server response (410): This API is no longer supported, instead simply upload the file.

    So I tried to upload the pkg-file, but sill met the error: ValueError: Unknown distribution format: 'PKG-INFO'

    High priority needs discussion 
    opened by guolinke 51
  • SSL Error

    SSL Error

    probably due to the load testing happening right now, this happens for trying to install any package.

      Could not fetch URL https://pypi.python.org/simple/upgrade/: There was a problem confirming the ssl certificate: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645) - skipping
      Could not find a version that satisfies the requirement upgrade (from versions: )
    No matching distribution found for upgrade
    
    opened by matthewdias 47
  • Add markdown support

    Add markdown support

    I've been working styling the information panel (issue #801).

    One thing that I've noticed is that a number of package long descriptions are not coming through with the correct formatting:

    screenshot from 2015-12-29 17-40-04 screenshot from 2015-12-29 17-40-15

    The first is clearly markdown, the second, I am not sure, but I have noticed a number of other packages using the same syntax.

    Obviously, it would be great to render these out to HTML so the new styles will work.

    feature request 
    opened by nlhkabu 47
  • `long_description_content_type` flag in setup.py seems to be ignored on upload.

    `long_description_content_type` flag in setup.py seems to be ignored on upload.

    Describe the bug I have a python package on PyPi that just (as of the last ~4-5 days) now fails to upload, with a new error:

    [email protected] /m/S/S/WebRequest> python3 setup.py sdist upload
    
    [snip build process]
    
    Submitting dist/WebRequest-0.0.28.tar.gz to https://upload.pypi.org/legacy/
    Upload failed (400): The description failed to render in the default format of reStructuredText. See https://pypi.org/help/#description-content-type for more information.
    error: Upload failed (400): The description failed to render in the default format of reStructuredText. See https://pypi.org/help/#description-content-type for more information.
    

    Ok, that's clear enough. My readme is in markdown, let's see how to fix this.

    Going to https://packaging.python.org/tutorials/packaging-projects/#description, it states you can add long_description_content_type="text/markdown", to your setup.py file, and it'll be processed as markdown.

    <does edits>....
    <submits to PyPi again
    
    Submitting dist/WebRequest-0.0.28.tar.gz to https://upload.pypi.org/legacy/
    
    [snip build process]
    
    Upload failed (400): The description failed to render in the default format of reStructuredText. See https://pypi.org/help/#description-content-type for more information.
    error: Upload failed (400): The description failed to render in the default format of reStructuredText. See https://pypi.org/help/#description-content-type for more information.
    

    What?

    Expected behavior I expect if I specify the readme is markdown, as the documentation says to do so, the readme should be treated as markdown.

    To Reproduce Attempt to upload a package with a readme that is valid markdown, but not valid reStructuredText.

    My Platform

    • Python 3.5.2 x64
    • Ubuntu 16.04 LTS
    • setuptools-39.2.0 (I specifically checked that it's the most current version)
    • readme_renderer 20.0

    Actual project in question is here. The readme.md in question is here, and the setup.py is here

    opened by fake-name 45
  • 2FA/API tokens: staging/testing rollout

    2FA/API tokens: staging/testing rollout

    What's the problem this feature will solve? To finish #996 (see #5567), we need to test MFA with real users on real packages; asking them to spin up dev environments is too hard and won't help multi-maintainer projects reason well about what MFA policies they want to set up.

    Describe the solution you'd like My tentative suggestion is:

    • We first roll out MFA on test.pypi.org and publicize it to project maintainers for a designated 2-week testing period, and we allot extra time for dealing with support requests during that time
    • We then roll it out to pypi.org and announce it on the PyPI announcement email list, PSF blog, etc.

    Additional context

    • If things go awry during initial testing, is there any chance we will need to wipe tokens from users' accounts?
    • Are there particular categories of user we need to make sure we get in the beta test? Ideas that come to mind for me: Windows, mobile, users of particular TOTP implementations and U2F implementations, people on very slow connections, people who habitually block a lot of cookies/JS, maintainers who maintain 20+ projects, people with very old and weird PyPI accounts (e.g., we do not have verified email for them, their passwords do not adhere to current policy), users with upwards of 10 MFA methods they want to add to their accounts, multi-maintainer projects, multi-owner projects, organizations where users share an auth token within a group.
    • Is test.pypi.org the right place for this? Should we spin up some other instance for this particular kind of testing, since maintainers do use Test PyPI for real uploads (of packages that need testing)?

    Cc @ewdurbin .

    meta 
    opened by brainwane 43
  • Add support for two-factor authentication

    Add support for two-factor authentication

    Account compromise of the owner of a popular package on PyPI is something that would have pretty dire consequences. 2FA/MFA would be a big step to helping avoid this.

    This would need to be implemented in both:

    • Website login
    • API used for package upload/register by setuptools/pip/...

    The 1st of these is presumably the easiest, and I believe will still add some value even if the 2nd isn't implemented initially - since it will still prevent things like package owner/maintainer role changes or modification of a user's listed GPG key or login details (presuming these cannot be made via the API).

    Harder is what to do with the API, given it requires client changes and is also used by some in a non-interactive manner in automation. I see a few options:

    1. Add 2FA support to setuptools/pip, and just document that people uploading packages in automation will just need to disable 2FA for their whole account (or ideally create a separate account just for automation).
    2. Add support for API keys to both Warehouse and clients (#994) and allow those to circumvent 2FA. For the people that really must upload packages non-interactively this would still protect against a few risks (credentials re-use, weak credentials), and the API keys could also be made package-specific or tied to a particular IP range. For everyone else, they would just not create an API key and still have full 2FA protection.
    3. All of the above.

    In terms of implementation, there are a number of packages that support TOTP (used by Google Authenticator): https://pypi.python.org/pypi/onetimepass/1.0.1 https://pypi.python.org/pypi/pyotp https://pypi.python.org/pypi/oath https://pypi.python.org/pypi/otpauth

    (I've filed this against warehouse since I'm presuming this is beyond the scope of maintenance-only changes being made to the old PyPI codebase)

    feature request High priority 
    opened by edmorley 41
  • Project Rating

    Project Rating

    Looking at the warehouse interface shuold be posible to show some rating, maybe a stars based system.

    UX/UI feature request 
    opened by williamjmorenor 41
  • WebAuthn failing in Chrome for incompatible versions & on modal fail/cancellation

    WebAuthn failing in Chrome for incompatible versions & on modal fail/cancellation

    @webknjaz reported:

    @brainwane I've tried that on Test PyPI.

    So I have a TOTP set up. I clicked on Add 2FA with security key. It prompted me to enter a Key name which I did (Yubikey Neo).

    STR

    After that, clicking Provision key does nothing visually. So I've opened DevTools. I can see a successful GET request to https://test.pypi.org/manage/account/webauthn-provision/options with some JSON payload in the response. It looks legit, contains my user data and a challenge. After clicking more times on that button, each of them produces an exception being logged to the JS console. The same happenes on prod PyPI, in incognito mode, with browser extensions disabled. test-pypi-webauthn-exc

    Runtime

    Google Chrome Version 69.0.3497.81 (Official Build) (64-bit) running Gentoo Linux

    Trace
    [8] bind-modal-keys.js:43 Uncaught (in promise) DOMException: A request is already pending.
    r @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    Promise.then (async)
    r @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    Promise.then (async)
    r @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    Promise.then (async)
    r @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    (anonymous) @ webauthn.js:179
    (anonymous) @ webauthn.js:23
    r @ runtime.js:55
    (anonymous) @ runtime.js:293
    t.(anonymous function) @ runtime.js:107
    r @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    d @ raven.js:445
    [2] bind-modal-keys.js:43 Uncaught (in promise) DOMException: The operation either timed out or was not allowed. See: https://w3c.github.io/webauthn/#sec-assertion-privacy.
    r @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    Promise.then (async)
    r @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    Promise.then (async)
    r @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    Promise.then (async)
    r @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    (anonymous) @ webauthn.js:179
    (anonymous) @ webauthn.js:23
    r @ runtime.js:55
    (anonymous) @ runtime.js:293
    t.(anonymous function) @ runtime.js:107
    r @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    (anonymous) @ bind-modal-keys.js:43
    d @ raven.js:445
    

    Originally posted by @webknjaz in https://github.com/pypa/warehouse/issues/5661#issuecomment-503486463

    bug :bug: cross browser bug :bug: 
    opened by brainwane 40
  • Bump sqlalchemy from 1.4.25 to 1.4.26

    Bump sqlalchemy from 1.4.25 to 1.4.26

    Bumps sqlalchemy from 1.4.25 to 1.4.26.

    Release notes

    Sourced from sqlalchemy's releases.

    1.4.26

    Released: October 19, 2021

    orm

    • [orm] [bug] Improved the exception message generated when configuring a mapping with joined table inheritance where the two tables either have no foreign key relationships set up, or where they have multiple foreign key relationships set up. The message is now ORM specific and includes context that the _orm.Mapper.inherit_condition parameter may be needed particularly for the ambiguous foreign keys case.

    • [orm] [bug] Fixed issue with _orm.with_loader_criteria() feature where ON criteria would not be added to a JOIN for a query of the form select(A).join(B), stating a target while making use of an implicit ON clause.

      References: #7189

    • [orm] [bug] Fixed bug where the ORM "plugin", necessary for features such as _orm.with_loader_criteria() to work correctly, would not be applied to a _sql.select() which queried from an ORM column expression if it made use of the _sql.ColumnElement.label() modifier.

      References: #7205

    • [orm] [bug] Add missing methods added in #6991 to _scoping.scoped_session and _asyncio.async_scoped_session().

      References: #7103

    • [orm] [bug] An extra layer of warning messages has been added to the functionality of _orm.Query.join() and the ORM version of _sql.Select.join(), where a few places where "automatic aliasing" continues to occur will now be called out as a pattern to avoid, mostly specific to the area of joined table inheritance where classes that share common base tables are being joined together without using explicit aliases. One case emits a legacy warning for a pattern that's not recommended, the other case is fully deprecated.

      The automatic aliasing within ORM join() which occurs for overlapping mapped tables does not work consistently with all APIs such as _orm.contains_eager(), and rather than continue to try to make these use cases work everywhere, replacing with a more user-explicit pattern is clearer, less prone to bugs and simplifies SQLAlchemy's internals further.

      The warnings include links to the errors.rst page where each pattern is

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 0
  • Bump botocore from 1.21.62 to 1.21.65

    Bump botocore from 1.21.62 to 1.21.65

    Bumps botocore from 1.21.62 to 1.21.65.

    Changelog

    Sourced from botocore's changelog.

    1.21.65

    • api-change:dataexchange: This release adds support for our public preview of AWS Data Exchange for Amazon Redshift. This enables data providers to list products including AWS Data Exchange datashares for Amazon Redshift, giving subscribers read-only access to provider data in Amazon Redshift.
    • api-change:chime-sdk-messaging: The Amazon Chime SDK now allows developers to execute business logic on in-flight messages before they are delivered to members of a messaging channel with channel flows.

    1.21.64

    • api-change:quicksight: AWS QuickSight Service Features - Add IP Restriction UI and public APIs support.
    • enchancement:AWSCRT: Upgrade awscrt extra to 0.12.5
    • api-change:ivs: Bug fix: remove unsupported maxResults and nextToken pagination parameters from ListTagsForResource

    1.21.63

    • api-change:efs: Update efs client to latest version
    • api-change:glue: Enable S3 event base crawler API.
    Commits
    • 245d52e Merge branch 'release-1.21.65'
    • ca018e4 Bumping version to 1.21.65
    • 7f8001b Update to latest models
    • fadb4a6 Merge branch 'release-1.21.64'
    • 995a78b Merge branch 'release-1.21.64' into develop
    • 814c2d4 Bumping version to 1.21.64
    • ddb401f Update to latest models
    • 2757b42 Upgrade to awcrt 0.12.5 (#2523)
    • ee92afa Merge branch 'release-1.21.63'
    • aa9b6ec Merge branch 'release-1.21.63' into develop
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 0
  • Bump faker from 9.3.1 to 9.5.0

    Bump faker from 9.3.1 to 9.5.0

    Bumps faker from 9.3.1 to 9.5.0.

    Release notes

    Sourced from faker's releases.

    Release v9.5.0

    See CHANGELOG.md

    Release v9.4.0

    See CHANGELOG.md

    Changelog

    Sourced from faker's changelog.

    v9.5.0 - 2021-10-19

    v9.4.0 - 2021-10-19

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 0
  • Bump boto3 from 1.18.62 to 1.18.65

    Bump boto3 from 1.18.62 to 1.18.65

    Bumps boto3 from 1.18.62 to 1.18.65.

    Changelog

    Sourced from boto3's changelog.

    1.18.65

    • api-change:dataexchange: [botocore] This release adds support for our public preview of AWS Data Exchange for Amazon Redshift. This enables data providers to list products including AWS Data Exchange datashares for Amazon Redshift, giving subscribers read-only access to provider data in Amazon Redshift.
    • api-change:chime-sdk-messaging: [botocore] The Amazon Chime SDK now allows developers to execute business logic on in-flight messages before they are delivered to members of a messaging channel with channel flows.

    1.18.64

    • api-change:quicksight: [botocore] AWS QuickSight Service Features - Add IP Restriction UI and public APIs support.
    • enchancement:AWSCRT: [botocore] Upgrade awscrt extra to 0.12.5
    • api-change:ivs: [botocore] Bug fix: remove unsupported maxResults and nextToken pagination parameters from ListTagsForResource

    1.18.63

    • api-change:efs: [botocore] Update efs client to latest version
    • api-change:glue: [botocore] Enable S3 event base crawler API.
    Commits
    • ea78c76 Merge branch 'release-1.18.65'
    • 16e0036 Bumping version to 1.18.65
    • b069a62 Add changelog entries from botocore
    • d6397e8 Fix typos in events.rst (#3046)
    • dfa7d1a Merge branch 'release-1.18.64'
    • ff4db48 Merge branch 'release-1.18.64' into develop
    • 537c384 Bumping version to 1.18.64
    • a12c894 Add changelog entries from botocore
    • 331bedc Merge branch 'release-1.18.63'
    • 5dd6242 Merge branch 'release-1.18.63' into develop
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 0
  • Bump sqlalchemy-utils from 0.37.8 to 0.37.9

    Bump sqlalchemy-utils from 0.37.8 to 0.37.9

    Bumps sqlalchemy-utils from 0.37.8 to 0.37.9.

    Changelog

    Sourced from sqlalchemy-utils's changelog.

    Changelog

    Here you can see the full list of changes between each SQLAlchemy-Utils release.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 0
  • Bump importlib-resources from 5.2.2 to 5.3.0

    Bump importlib-resources from 5.2.2 to 5.3.0

    Bumps importlib-resources from 5.2.2 to 5.3.0.

    Changelog

    Sourced from importlib-resources's changelog.

    v5.3.0

    • #80: Now raise a DeprecationWarning for all legacy functions. Instead, users should rely on the files() API introduced in importlib_resources 1.3. See Migrating from Legacy <https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy>_ for guidance on avoiding the deprecated functions.

    v5.2.3

    • Updated readme to reflect current behavior and show which versions correspond to which behavior in CPython.

    v5.0.7

    • bpo-45419: Correct DegenerateFiles.Path .name and .open() interfaces to match Traversable.
    Commits
    • 8ac7ab5 Merge pull request #236 from python/feature/deprecate-legacy
    • 239ae6d Provide references to relevant docs and protocol definition for ease-of-use.
    • ed3b2d3 Add section to the docs guiding the user on how to migrate (relying on the _l...
    • fda6cb2 Acknowledge and suppress warnings
    • 13d42b7 Update changelog.
    • 6065e26 Re-implement deprecation as a decorator.
    • 0ad6143 Emit deprecation warning on legacy functions.
    • b665a3e Update changelog.
    • 5a735fe Add compatibility matrix showing relevant versions.
    • 767bc87 Remove section of the readme that indicates deferring to stdlib. This project...
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 0
  • Bump stevedore from 3.4.0 to 3.5.0

    Bump stevedore from 3.4.0 to 3.5.0

    Bumps stevedore from 3.4.0 to 3.5.0.

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 0
  • Bump webauthn from 0.4.7 to 1.0.0

    Bump webauthn from 0.4.7 to 1.0.0

    Bumps webauthn from 0.4.7 to 1.0.0.

    Release notes

    Sourced from webauthn's releases.

    v1.0.0-beta2

    No release notes provided.

    v1.0.0-beta1

    Preview release of the revitalized py_webauthn library. See PR #95

    Commits
    • 970c292 Merge pull request #98 from duo-labs/prepare-v1.0.0
    • 2e1171c Add mention of Pydantic for structs
    • a7a3a97 Drop beta tag
    • 2331c76 Add mention of webauthn.helpers.structs
    • 3649f68 Merge pull request #97 from duo-labs/fix-setup-py
    • 65f158b Update version to 1.0.0-beta2
    • 2c12de9 Update setup.py to use find_packages
    • 00e5dc8 Merge pull request #95 from duo-labs/lib-refresh
    • 8f22b04 Indicate Python 3.8 as minimum version
    • b78e0f3 Wrap python versions in strings and use v2
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 2
  • Sticky notification bar overlaps and hides search bar on website

    Sticky notification bar overlaps and hides search bar on website

    Describe the bug

    The new alert bar on PYPI overlaps and hides search bar on pypi when on a particular module page.

    Expected behavior

    Obviously one should have access to the search bar and I think there should be an option (like a ❌ to remove the bar if one need so). It should be placed in a way that pushes the whole screen below by its height and is above to avoid any usage issues.

    Also, if a user opts to visit and provide feedback from there, the bar should not be there then but currently this is not the case.

    To Reproduce

    Visit here or any other similar page.

    My Platform

    OS : Windows 10/11 Chrome : Version 94.0.4606.71 (Official Build) (64-bit)

    Additional context

    bug :bug: 
    opened by avats-dev 11
  • Non-http(s) URLs used in `project_urls` are rejected as invalid

    Non-http(s) URLs used in `project_urls` are rejected as invalid

    Describe the bug

    I recently updated one of my packages to have a few project_urls, including website, issue tracker and IRC. For the latter, I used a URL in the format of irc://example.com/#my-channel, which Firefox and other tools understand.

    Expected behavior

    Uploading the package should have worked find.

    To Reproduce

    Try uploading a package with:

    project_urls={
        "Chat": "irc://example.com/#my-channel",
        # ...
    },
    

    My Platform

    I used twine to upload the package via GitHub Actions.

    I've pinpointed the issue down to this snippet, which tries to validate the URL as http or https, even in cases where it's a different schema.

    https://github.com/pypa/warehouse/blob/30a6733a3f4b91594ead39971277491a8b4bee67/warehouse/forklift/legacy.py#L337-L338

    Additional context

    I suspect that the validation is mostly an oversight of not taking this edge-case in mind; I can't imagine there was a strong reason to disallow non-https URLs.

    While I think there's definitely value in allowing them, in case there's a strong sentiment against this, it would at least make sense for the error message to be clearer. It was quite tricky for me to figure out exactly what the error was, since right now the validation response just says Use valid URL., without even indicating which URL is wrong or in what way.

    bug :bug: 
    opened by WhyNotHugo 0
Owner
Python Packaging Authority
Python Packaging Authority
A set of tools to keep your pinned Python dependencies fresh.

pip-tools = pip-compile + pip-sync A set of command line tools to help you keep your pip-based packages fresh, even when you've pinned them. You do pi

Jazzband 5.3k Oct 22, 2021
Install and Run Python Applications in Isolated Environments

pipx — Install and Run Python Applications in Isolated Environments Documentation: https://pipxproject.github.io/pipx/ Source Code: https://github.com

null 4.2k Oct 22, 2021
The Fast Cross-Platform Package Manager

The Fast Cross-Platform Package Manager part of mamba-org Package Manager mamba Package Server quetz Package Builder boa mamba Mamba is a reimplementa

Mamba 2.3k Oct 24, 2021
Conan - The open-source C/C++ package manager

Conan Decentralized, open-source (MIT), C/C++ package manager. Homepage: https://conan.io/ Github: https://github.com/conan-io/conan Docs: https://doc

Conan.io 5.3k Oct 22, 2021
A flexible package manager that supports multiple versions, configurations, platforms, and compilers.

Spack Spack is a multi-platform package manager that builds and installs multiple versions and configurations of software. It works on Linux, macOS, a

Spack 2.3k Oct 15, 2021
A PyPI mirror client according to PEP 381 http://www.python.org/dev/peps/pep-0381/

This is a PyPI mirror client according to PEP 381 + PEP 503 http://www.python.org/dev/peps/pep-0381/. bandersnatch >=4.0 supports Linux, MacOSX + Wind

Python Packaging Authority 263 Oct 17, 2021
A PyPI mirror client according to PEP 381 http://www.python.org/dev/peps/pep-0381/

This is a PyPI mirror client according to PEP 381 + PEP 503 http://www.python.org/dev/peps/pep-0381/. bandersnatch >=4.0 supports Linux, MacOSX + Wind

Python Packaging Authority 262 Oct 11, 2021
pip-run - dynamic dependency loader for Python

pip-run provides on-demand temporary package installation for a single interpreter run. It replaces this series of commands (or their Windows equivale

Jason R. Coombs 61 Oct 2, 2021
OS-agnostic, system-level binary package manager and ecosystem

Conda is a cross-platform, language-agnostic binary package manager. It is the package manager used by Anaconda installations, but it may be used for

Conda 4.3k Oct 23, 2021
OS-agnostic, system-level binary package manager and ecosystem

Conda is a cross-platform, language-agnostic binary package manager. It is the package manager used by Anaconda installations, but it may be used for

Conda 4.3k Oct 16, 2021
[DEPRECATED] YUM package manager

⛔ This project is deprecated. Please use DNF, the successor of YUM. YUM Yum is an automatic updater and installer for rpm-based systems. Included prog

null 94 Aug 5, 2021
The Python package installer

pip - The Python Package Installer pip is the package installer for Python. You can use pip to install packages from the Python Package Index and othe

Python Packaging Authority 7.5k Oct 23, 2021
Python Development Workflow for Humans.

Pipenv: Python Development Workflow for Humans [ ~ Dependency Scanning by PyUp.io ~ ] Pipenv is a tool that aims to bring the best of all packaging wo

Python Packaging Authority 22.4k Oct 24, 2021
:package: :fire: Python project management. Manage packages: convert between formats, lock, install, resolve, isolate, test, build graph, show outdated, audit. Manage venvs, build package, bump version.

THE PROJECT IS ARCHIVED Forks: https://github.com/orsinium/forks DepHell -- project management for Python. Why it is better than all other tools: Form

DepHell 1.7k Oct 22, 2021
Package manager based on libdnf and libsolv. Replaces YUM.

Dandified YUM Dandified YUM (DNF) is the next upcoming major version of YUM. It does package management using RPM, libsolv and hawkey libraries. For m

null 911 Oct 17, 2021
Python dependency management and packaging made easy.

Poetry: Dependency Management for Python Poetry helps you declare, manage and install dependencies of Python projects, ensuring you have the right sta

Poetry 16.8k Oct 24, 2021
Python dependency management and packaging made easy.

Poetry: Dependency Management for Python Poetry helps you declare, manage and install dependencies of Python projects, ensuring you have the right sta

Poetry 16.8k Oct 22, 2021
The Python Package Index

Warehouse Warehouse is the software that powers PyPI. See our development roadmap, documentation, and architectural overview. Getting Started You can

Python Packaging Authority 2.8k Oct 14, 2021
Solaris IPS: Image Packaging System

Solaris Image Packaging System Introduction The image packaging system (IPS) is a software delivery system with interaction with a network repository

Oracle 47 Sep 17, 2021