How do I install packages from test.pypi.org using poetry?

Question

I want to use a pre-release version of a package (https://test.pypi.org/project/delta-spark/2.1.0rc1/) in my project.

I'm using poetry to manage my pyproject.toml. How do I do this?

In other words what is the poetry equivalent of:

pip install -i https://test.pypi.org/simple/ delta-spark==2.1.0rc1

I tried:

• poetry add delta-spark==2.1.0rc1
• poetry add --allow-prereleases delta-spark==2.1.0rc1

Both give: Could not find a matching version of package delta-spark

---

$ poetry config --local repositories.test-pypi https://test.pypi.org/
$ poetry config --list | fgrep repositories
repositories.test.url = "https://test.pypi.org/"
repositories.test-pypi.url = "https://test.pypi.org/"
$ fgrep -A 3 tool.poetry.source pyproject.toml 
[[tool.poetry.source]]
name = "test-pypi"
url = "https://test.pypi.org/"
secondary = true
$ poetry add --group dev delta-spark==2.1.0rc1

Could not find a matching version of package delta-spark
$ 

Answer 1

This is described here. Basically, you can add the repository via:

poetry config repositories.test https://test.pypi.org/simple/

and then make it available in pyproject.toml via:

[[tool.poetry.source]]
name = "test"
url = "https://test.pypi.org/simple/"
secondary = true

Then adding the dependency should work.

Answer 2

In poetry 1.5.0, secondary = true has been deprecated.

Here's a safer solution, to make sure that only the package you want is downloaded from TestPypi:

[[tool.poetry.source]]
name = "test-pypi"
url = "https://test.pypi.org/simple/"
priority = "explicit"

[tool.poetry.dependencies]
my-package = {version = "0.1.1", source = "test-pypi"}

Why is it safer ?

According to poetry's documentation, secondary sources have been deprecated.

Using TestPyPi as a secondary source is problematic for two reasons:

1. It is applied to all your project dependencies, not just the ones for which you want to use the version from TestPyPi.
2. TestPyPi is always called for each dependency, even when a compatible version was found in the primary source.

This makes you vulnerable to dependency confusion attacks:

Imagine you use some famous package famous-package = "^1.2.0" in your dependencies, and that this package does not exist on TestPyPi (because the developper never pushed it there). Then anyone can push an infected version 1.99.99 of famous-package to TestPyPi, and your project will download it. It can then run arbitrary code on your computer.

To avoid this, poetry recommends replacing priority = "secondary" with priority = "supplemental", which means the source will only be called if the primary source does not find any compatible package distribution.

But it's even safer to use priority = "explicit" and then explicitely chose which packages should be downloaded from TestPyPi.