Skip to content

Index cache-control override malfunctions with username in URL #16076

Closed
#16088
Closed
Index cache-control override malfunctions with username in URL#16076
#16088
Assignees
charliermarsh
Labels
bugSomething isn't working
@nordewal

Description

@nordewal
nordewal
opened on Sep 30, 2025

Summary

We are using a GCP artifact registry for our internal PyPi. For authentication we use the keyring provider of GCP (https://pypi.org/project/keyrings.google-artifactregistry-auth/). Ideally we would like to configure all of our index related setting in the pyproject.toml. Which mostly works, except for the cache-control header override.

Our ideal (minimal) pyproject.toml:

[project]
name = "test"
version = "0.1.0"
dependencies = ["pandas>=2.2"]

[tool.uv]
keyring-provider = "subprocess"

[[tool.uv.index]]
cache-control = { api = "max-age=600", files = "max-age=365000000, immutable" }
default = true
url = "https://oauth2accesstoken@europe-west4-python.pkg.dev/our-gcp-project/pypi/simple/"

This however leads to uv not using its cache. If you execute the following command multiple times, you see that it re-downloads all dependencies each time:

rm -rf .venv/; uv sync

After some playing around, I figured out what the issue is: the oauth2accesstoken@ in the URL seems to throw uv off. When I move the username to an env variable, the caching (header override) works as expected:

[project]
name = "test"
version = "0.1.0"
dependencies = ["pandas>=2.2"]

[tool.uv]
keyring-provider = "subprocess"

[[tool.uv.index]]
cache-control = { api = "max-age=600", files = "max-age=365000000, immutable" }
default = true
name = "internal"
url = "https://europe-west4-python.pkg.dev/our-gcp-project/pypi/simple/"

Run the following multiple times, and uv always uses the cached version:

export UV_INDEX_INTERNAL_USERNAME=oauth2accesstoken
rm -rf .venv/; uv sync

Would it be possible to support URLs in the form of https://USERNAME@INDEX together with overriding cache-control headers?

This would make our lives easier, as otherwise the configuration of the index lives in two places: the pyproject.toml and the env variable. Since the username itself here is not a secret (the token provided by the keyring is the secret), I also don't see a security issue.

Platform

Linux 6.12.30+bpo-amd64

Version

uv 0.8.22

Python version

Python 3.11.12

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions