Poetry trying to install everything from private repository

Question

I'm trying to install dependencies both from pypi and a private repo, here's my original pyproject.toml, following the official documentation:

[tool.poetry]
name = "project_name"
version = "0.1.0"
description = ""
authors = ["Me <[email protected]>"]

[[tool.poetry.source]]
name = "private"
url = "https://url/to/private_repo"
secondary = true

[tool.poetry.dependencies]
python = "^3.9"
Flask = "^2.1.2"
private_package = "*"

[tool.poetry.dev-dependencies]
black = "^22.6.0"
mypy = "^0.961

[build-system]
requires = ["poetry-core>=1.0.0"]
build-backend = "poetry.core.masonry.api"

However, running poetry install results in poetry trying to install every requirement from the private repo, at least that's what I understand from the resulting traceback:

❯ poetry install
Updating dependencies
Resolving dependencies... (0.2s)

  RepositoryError

  403 Client Error: Forbidden for url: https://url/to/private_repo/mypy/

  at ~/.local/lib/python3.9/site-packages/poetry/repositories/legacy_repository.py:393 in _get
      389│             if response.status_code == 404:
      390│                 return
      391│             response.raise_for_status()
      392│         except requests.HTTPError as e:
    → 393│             raise RepositoryError(e)
      394│ 
      395│         if response.status_code in (401, 403):
      396│             self._log(
      397│                 "Authorization error accessing {url}".format(url=url), level="warn"

As you can see, it seems that poetry is trying to install mypy from https://url/to/private_repo/mypy/.

So far I have tried to:

• explicitly set the source for each dependency in the pyproject.toml file (e.g: mypy = {version = "^0.961", source = "pypi"}): then the same thing happens with subdependencies
• set the private repository url via the command poetry config repositories.private https://url/to/private_repo: does not seem to have any impact
• all possible combinations of the default and secondary keys for [[tool.poetry.source]]: nothing helps
• adding the private dependency with poetry add private_package --source private
• adding explicitly a source to official pypi and set it as default
• I clear the cache when trying something

N.B: the private repo I'm trying to install from does not require any kind of authentication

Experiencing this behaviour with versions:

• 1.1.4
• 1.1.3
• 1.1.2

Answer 1

I refer you to https://github.com/python-poetry/poetry/issues/6713. What I believe you are looking for is how to get poetry to mimic pip install --extra-index-url.

I resolved this issue by specifying the priority of my private repository as supplemental:

[tool.poetry.dependencies]
torch = {version = "^2.0.1+cu118", source = "torch"}
onnxruntime = "^1.15.0"

[[tool.poetry.source]]
name = "PyPI"
priority = "primary"

[[tool.poetry.source]]
name = "torch"
url = "https://download.pytorch.org/whl/cu118"
priority = "supplemental"

With this setup only the torch package will be resolved from https://download.pytorch.org/whl/cu118. All other dependencies (packages torch depends on as well as onnxruntime) will be resolved from PyPI.