Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build.check_dependency ignores URL reqs with names that match an installed distribution #860

Open
gschaffner opened this issue Feb 15, 2025 · 1 comment
Open

build.check_dependency ignores URL reqs with names that match an installed distribution #860

gschaffner opened this issue Feb 15, 2025 · 1 comment

Comments

@gschaffner
Copy link

When build.check_dependency sees a URL req with a name that matches an installed distribution, it considers the URL req met. For example:

import importlib.metadata

import build


def get_version(distribution_name: str) -> str | None:
    try:
        return importlib.metadata.version(distribution_name)
    except ModuleNotFoundError:
        return None


# Some version of packaging is installed:
packaging_ver = importlib.metadata.version("packaging")
assert packaging_ver is not None and packaging_ver != "24.1"
print(
    f"{tuple(build.check_dependency("packaging @ git+https://github.com/pypa/[email protected]")) = !r}"
)

# No version of sniffio is installed:
sniffio_ver = get_version("sniffio")
assert sniffio_ver is None
print(
    f"{tuple(build.check_dependency("sniffio @ git+https://github.com/python-trio/[email protected]")) = !r}"
)

Output (in a venv with packaging==24.2 and without sniffio):

tuple(build.check_dependency("packaging @ git+https://github.com/pypa/[email protected]")) = ()
tuple(build.check_dependency("sniffio @ git+https://github.com/python-trio/[email protected]")) = (('sniffio@ git+https://github.com/python-trio/[email protected]',),)

The packaging URL req is reported as met but it is not. The sniffio URL req is correctly reported as unmet.

With check_dependency's current documentation, this seems like a bug; it should be able to verify that URL reqs are met.

Is it possible via PEP 610?

     try:
         dist = importlib.metadata.distribution(req.name)
     except importlib.metadata.PackageNotFoundError:
         # dependency is not installed in the environment.
         yield (*ancestral_req_strings, normalised_req_string)
     else:
         if req.specifier and not req.specifier.contains(dist.version, prereleases=True):
             # the installed version is incompatible.
             yield (*ancestral_req_strings, normalised_req_string)
+        elif req.url and pseudocode(dist.origin != req.url):
+            yield (*ancestral_req_strings, normalised_req_string)
         elif dist.requires:
             for other_req_string in dist.requires:
                 # yields transitive dependencies that are not satisfied.
                 yield from check_dependency(other_req_string, (*ancestral_req_strings, normalised_req_string), req.extras)
@gschaffner gschaffner mentioned this issue Feb 15, 2025
Open
@henryiii
Copy link
Contributor

I think this could be done, it seems like the parts are there. Though I'm not sure you want to be this picky with dependencies - if a @ ... is requested and someone has a installed but not specifically that version, build would fail the check, which for us is on by default. Checking these dependencies is already problematic (say if a user installs something a different way), so this could make it worse. But I think it's fairly reasonable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@henryiii @gschaffner