Support for PEP 792

[woodruffw]

Summary

PEP 792 is now final and has a living PyPA spec.

TL;DR: PEP 792 defines "project status markers," which are project-wide states that get presented in the standard JSON and HTML indices.

For example, here's a project that's been marked as archived, meaning that it won't receive new releases:

% curl -s -H "Accept: application/vnd.pypi.simple.v1+json" https://pypi.org/simple/pepy/ |  jq '."project-status"'
{
  "status": "archived"
}

These markers are optional in the index API v1.4 and above; in earlier (<= 1.3) responses, the client should assume that all projects have the active status. Any 1.4+ response that doesn't have a status also defaults to active.

Example

PEP 792 suggests that installers produce appropriate warnings on the following statuses:

• archived: the installer should warn that the project does not expect to be updated in the future
• deprecated: the installer should warn that the project is considered obsolete by its maintainers
• quarantined: the installer should warn that the project is considered unsafe for any use (e.g. malicious). the index will prevent resolution of quarantined projects anyways, but the warning will help users understand why the resolution subsequently fails 🙂

In terms of where this should happen: I think it probably makes the most sense for these to be propagated on any environment-changing command, e.g. uv add, uv sync, uv pip install.

Subtasks:

• Data modeling + extract status markers from the detail responses (Initial PEP 792 types and index parsing #17311)
• Plumb status markers into the internal representation
  • Avoid ambiguous associated item references rkyv/rkyv#646
  • PEP 792: plumb statuses into internal representation #17631
• Plumb status markers into lockfiles? I'm not sure if this makes sense yet; they shouldn't change very often, but when they do change it could be confusing to users to have them locked.
• Propagate relevant statuses as warnings (e.g. warn users when they request a quarantined / archived / deprecated project)

[woodruffw]

I thought a bit more about a minimally intrusive design here, and here's what I'm thinking:

• uv gains a status-policy configuration/argument, like so:

[tool.uv.status-policy]
status = "policy"

...where status is archived | quarantined | deprecated | *, and policy is one of allow | warn | deny.

The default policy if none is specified is:

[tool.us.status-policy]
"*" = "allow"

i.e., don't enforce any controls on status markers. We could change this to a more restrictive default policy with a future breaking release as well.

By example:

Warn when a project becomes archived or deprecated, reject resolutions against quarantined projects (these will fail anyways, but denying at the policy level will produce a better error message):

[tool.uv.status-policy]
archived = "warn"
deprecated = "warn"
quarantined = "deny"

Some thoughts on this:

• I don't love the name status-policy, it's kind of generic. Maybe status-controls? status-filters? Something else?

• The layout itself might not be optimal. Other options (not exhaustive) would be:

  Inverting the pairs:

  [tool.uv.status-policy]
  warn = ["archived", "deprecated"]

  Exposing the ordering more explicitly:

  [tool.uv.status-policy]
  # warn at 'archived' and higher
  warn-at = "archived"
  # deny at 'quarantined' and higher, which would be just 'quarantined'
  deny-at = "quarantined"

  I kind of like doing it with the ordering, although there's no guarantee in the PEP that any future status markers will be obviously order-able like the current ones are.

CC @zanieb and @konstin for design opinions 🙂

[konstin]

TBH for me both of those look good:

[tool.uv.status-policy]
archived = "warn"
deprecated = "warn"
quarantined = "deny"

[tool.uv.status-policy]
warn = ["archived", "deprecated"]

To add another option to the bikeshed, tool.uv.project-status makes it clear what kind of status this is about, and the values in the field show it's a policy.

I'm not aware of a similar linting system in the uv config, can we use ruff or ty as reference?

[woodruffw]

To add another option to the bikeshed, tool.uv.project-status makes it clear what kind of status this is about, and the values in the field show it's a policy.

True, I like that name more.

I'll look at ruff and ty for some inspiration here! @zanieb also raised a good point (in a 1-1 we had) that this is sort of a linting problem rather than a packaging problem per se, so there's a good argument to be made that it potentially belongs in Ruff instead. Although the nuance with that is that Ruff doesn't have (many? any?) pyproject/uv.lock lints at the moment, and it touches distribution names rather than import names (which I don't believe Ruff has any opinions about ATM).

[konstin]

The related question to linting is whether is archived and deprecated are problematic enough that you'd want to deny the package outright? quarantined is index-enforced, but for the other two, what's the right place to inform the user about them? I'd e.g. like to know when a package in my dependency tree is deprecated and archived, but not necessarily on every operation.

[woodruffw]

I'd e.g. like to know when a package in my dependency tree is deprecated and archived, but not necessarily on every operation.

Yeah, that's a good point. The more I think about this the more it seems to me like a variant of the uv audit design topic (in #9189), since trying to do this in an implicit flow (i.e., activated automatically whenever the user does normal package management things) is likely to be pretty annoying/fatigue-inducing for users.

So, maybe there are two things here:

1. On lockfile-mutating commands (uv sync, uv pip install), we check the project status and warn/deny on it per the settings in [tool.uv.project-status]
2. A future uv audit command also performs those checks, atop the normal vulnerability auditing it'll do

For (1) this is what I envision in terms of configuration:

[tool.uv.project-status]
archived = "allow" # "allow" | "warn" | "deny"
deprecated = "deny" # "allow" | "warn" | "deny"

...where the default for both would be "warn". We wouldn't expose one for quarantined, since the index itself will force a failure in that case anyways.