1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
# Specifying Package Indexes
The default python package index that is standard for use is [pypi.org](https://pypi.org).
Sometimes there is a need to work with alternative or additional package indexes.
## Index Restricted Packages
Starting in release `2022.3.23` all packages are mapped only to a single package index for security reasons.
All unspecified packages are resolved using the default index source; the default package index is PyPI.
For a specific package to be installed from an alternate package index, you must match the name of the index as in the following example:
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"
[[source]]
url = "https://download.pytorch.org/whl/cu113/"
verify_ssl = false
name = "pytorch"
[dev-packages]
[packages]
torch = {version="*", index="pytorch"}
numpy = {version="*"}
You may install a package such as the example `torch` from the named index `pytorch` using the CLI by running
the following command:
`pipenv install torch --index=pytorch`
Alternatively the index may be specified by full url, and it will be added to the `Pipfile` with a generated name
unless it already exists in which case the existing name with be reused when pinning the package index.
```{note}
In prior versions of `pipenv` you could specify `--extra-index-urls` to the `pip` resolver and avoid specifically matching the expected index by name.
That functionality was deprecated in favor of index restricted packages, which is a simplifying assumption that is more security mindful.
The pip documentation has the following warning around the `--extra-index-urls` option:
> Using this option to search for packages which are not in the main repository (such as private packages) is unsafe,
> per a security vulnerability called dependency confusion: an attacker can claim the package on the public repository
> in a way that will ensure it gets chosen over the private package.
```
Should you wish to use an alternative default index other than PyPI: simply do not specify PyPI as one of the
sources in your `Pipfile`. When PyPI is omitted, then any public packages required either directly or
as sub-dependencies must be mirrored onto your private index or they will not resolve properly. This matches the
standard recommendation of `pip` maintainers: "To correctly make a private project installable is to point
--index-url to an index that contains both PyPI and their private projects—which is our recommended best practice."
The above documentation holds true for both `lock` resolution and `sync` of packages. It was suggested that
once the resolution and the lock file are updated, it is theoretically possible to safely scan multiple indexes
for these packages when running `pipenv sync` or `pipenv install --deploy` since it will verify the package
hashes match the allowed hashes that were already captured from a safe locking cycle.
To enable this non-default behavior, add `install_search_all_sources = true` option
to your `Pipfile` in the `pipenv` section::
[pipenv]
install_search_all_sources = true
**Note:** The locking cycle will still require that each package be resolved from a single index. This feature was
requested as a workaround in order to support organizations where not everyone has access to the package sources.
## Using a PyPI Mirror
Should you have access to a mirror of PyPI packages and wish to substitute the default pypi.org index URL with your PyPI mirror,
you may supply the `--pypi-mirror <mirror_url>` argument to select commands:
$ pipenv install --pypi-mirror <mirror_url>
$ pipenv update --pypi-mirror <mirror_url>
$ pipenv sync --pypi-mirror <mirror_url>
$ pipenv lock --pypi-mirror <mirror_url>
$ pipenv uninstall --pypi-mirror <mirror_url>
Note that setting the `PIPENV_PYPI_MIRROR` environment variable is equivalent to passing `--pypi-mirror <mirror_url>`.
|
