Menu
I use pip/poetry/Pipenv to install dependencies depending on what is less broken and painful in a given month. I have a private pypi compatible repo and have many dependencies on public pypi.
I can see that when a dependency is missing from the private repo or if the private repo is misconfigured, pip will try to get the dependency from public pypi, which at best is the wrong package at worst is malicious code as describe here.
Is there any way to tell pip, poetry and/or Pipenv which repository it should use on a per package basis without fallback behaviors?
It looks like registering all my private package names on public pypi is considered name squatting and is against pypi's rules.
This is different from the various questions on how to install from a private repository. The question is how to force the package manager to only install a package from the specified repository when there are unavoidably two or more repositories.
877
You can specify whatever package index you like in pipenv. This is an example from the advanced usage docs from pipenv. More usage and separate use cases can be found here
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"
[[source]]
url = "http://pypi.home.kennethreitz.org/simple"
verify_ssl = false
name = "home"
[dev-packages]
[packages]
requests = {version="*", index="home"}
maya = {version="*", index="pypi"}
records = "*"
answered Sep 14 '25 11:09
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With