pip + poetry
Package manager version
Poetry version 1.1.11
Manifest location and content prior to update
Bump docxtpl from 0.14.1 to 0.14.2
What you expected to see, versus what you actually saw
I have a private registry with
secondary = true in my
pyproject.toml, i.e. I intend to use it only for my private packages, not overriding the global pypi.
poetry correctly locks only private package to this repo (see https://github.com/maksbotan/dependabot-poetry-demo/blob/7c539a42a3e2ff108140827142be6bd19e8c5767/poetry.lock#L299-L302).
But dependabot's update locks all packages to use this private repo, including global pypi's ones. See this diff: https://github.com/maksbotan/dependabot-poetry-demo/pull/7/files#diff-f53a023eedfa3fbf2925ec7dc76eecdc954ea94b7e47065393dbad519613dc89
Note that all packages got a
[[package.source]] section, with a bogus
reference at that. And the one with correct reference got rewritten:
Native package manager behavior
poetry will not try to get a dependency from a private repo with
secondary = true unless explicitly told so.
By the way, this exact bug was present in poetry 1.1.4 and was only fixed in 1.1.10. See the relevant issue: https://github.com/python-poetry/poetry/issues/3306. Maybe it would be enough to update poetry version used by dependabot?
Images of the diff or a link to the PR, issue or logs
updater | INFO <job_231638073> Checking if boto3 1.20.0 needs updating proxy | 2021/11/10 20:25:06  GET https://pypi.org:443/simple/boto3/ proxy | 2021/11/10 20:25:06  200 https://pypi.org:443/simple/boto3/ proxy | 2021/11/10 20:25:08  GET https://gitlab.math.bio:443/api/v4/groups/biocad/-/packages/pypi/simple/boto3/ proxy | 2021/11/10 20:25:08  * authenticating python index request (host: gitlab.math.bio) proxy | 2021/11/10 20:25:09  302 https://gitlab.math.bio:443/api/v4/groups/biocad/-/packages/pypi/simple/boto3/ proxy | 2021/11/10 20:25:09  GET https://pypi.org:443/simple/boto3/ proxy | 2021/11/10 20:25:09  200 https://pypi.org:443/simple/boto3/ updater | INFO <job_231638073> Latest version is 1.20.3
Here it can be seen that dependabot tries to check this package in private repo (even though lock files states that it should not happen) and finds it there (since the repo redirects unknown packages to global pypi).
🕹 Bonus points: Smallest manifest that reproduces the issue