feat: option to validate compressed tag set sort order in parse_wheel_filename

[r266-tech]

Summary

Fixes #909.

parse_wheel_filename accepted wheel filenames where compressed tag sets had components in unsorted order, even though PEP 425 explicitly requires them to be sorted:

each tag in a filename can instead be a '.'-separated, sorted, set of tags

For example, pyvirtualcam-0.13.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl was accepted silently, but the correct filename is pyvirtualcam-0.13.0-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.whl (since '2' < '_' in ASCII, manylinux2014_x86_64 sorts before manylinux_2_17_x86_64).

This was surfaced by a real-world interaction: auditwheel repair produces incorrectly-ordered tag strings (tracked at pypa/auditwheel#583), and packaging accepted them without error, masking the upstream bug.

Changes

• src/packaging/utils.py: In parse_wheel_filename, before calling parse_tag, validate that each --separated component's .-separated parts are in lexicographic sorted order. Raises InvalidWheelFilename if not.

• tests/test_utils.py:

  • Added two invalid cases to test_parse_wheel_invalid_filename:
    • pyvirtualcam-0.13.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (platform tags unsorted)
    • foo-1.0-py3.py2-none-any.whl (interpreter tags unsorted)
  • Added one valid case to test_parse_wheel_filename:
    • pyvirtualcam-0.13.0-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.whl (correctly sorted)

Design note

The check is placed in parse_wheel_filename (not parse_tag) so that parse_tag remains a general-purpose utility without new validation semantics. Per brettcannon's comment on #909, the fix touches the tag-parsing path in utils.py.

[notatallshaw]

I would want to understand the real world impact of this change, in particular is this going to reject a lot of wheels uploaded to PyPI?

[r266-tech]

Good question. The validation only triggers on compressed tag sets — filenames where a single component contains multiple dot-separated values (e.g. cp39.cp310-none-manylinux_2_17_x86_64.manylinux2014_x86_64). Simple tags like py3-none-any or cp311-cp311-linux_x86_64 are unaffected since there's nothing to sort-check.

All major build tools I'm aware of (wheel, setuptools, hatchling, flit, poetry, maturin) generate sorted compressed tags, so I'd expect the real-world impact to be very low. That said, I don't have data on what's actually on PyPI.

If this is a concern, I could scope the check to only parse_wheel_filename (not parse_tag) and make it a warning rather than an error, or we could gather data first by scanning PyPI's Simple API for filenames with unsorted compressed tags. Happy to do either — what approach would you prefer?

[notatallshaw]

Sorry, I posted that before I realized similar discussion was taking place in #909 (comment), let's move discussion on what we want to do about compliance/backwards comparability there.

[r266-tech]

CI failures highlight an important edge case: lexicographic string sorting doesn't work for version-embedded platform tags.

Failing examples:

• macosx_10_6_intel.macosx_10_9_intel.macosx_10_9_x86_64.macosx_10_10_intel.macosx_10_10_x86_64 — lexicographically 10_10 < 10_9 (char '1' < '9'), but the intended order is by macOS version
• manylinux_2_17_x86_64.manylinux2014_x86_64 — manylinux2014 < manylinux_2_17 lexicographically ('2' < '_'), but both are valid real-world tags (numpy uses this exact filename on PyPI)

This confirms @notatallshaw's concern about real-world impact. The sorted-order check needs either:

1. A version-aware comparator instead of plain string sort, or
2. Narrower scope (only reject clearly pathological cases)

Happy to implement whichever direction you prefer — will wait for the discussion on #909 to settle before pushing a fix.

[henryiii]

The only reason to sort these is to have a completely deterministic filename. So there isn't an "intended" order, it's not there to make it easier for humans. So only simple sorting, which is easy to implement in other languages too (like Rust) makes sense, anything other than lexicographic sorting would be much harder to implement, slower, and would serve no purpose.

[henryiii]

I think this would be fine as an opt-in parameter. I don't think we can add it to a legacy function without the opt-in.

[henryiii]

I think we must make this opt-in for a legacy API. There are at least 370,069 wheels uploaded to PyPI (out of the 1,023,6875 wheels I checked with a compressed tag set) that have unsorted compressed tags. We need to be able to parse those old wheel filenames.

[r266-tech]

Thanks for the data, @henryiii — 370K out of 10M+ is significant. I'll update this to add a validate=False parameter (opt-in) for the legacy parse_wheel_filename so existing wheels parse cleanly by default, and also fix the exception chaining (from None). Will push shortly.

[henryiii]

Great, thanks! Auditwheel produced unsorted tag sets for many years, it got fixed only a few years ago. It didn't really matter originally, as it didn't produce multiple tags, but when it started making manylinux tags in both old and new styles, it did so unsorted, and it was at least a few years before sorting was added. I wouldn't be surprised if multi-tagged universal macOS wheels were sometimes wrong, too.

[r266-tech]

Updated per review feedback:

• parse_tag() and parse_wheel_filename() now accept validate_order=False (opt-in)
• Unsorted compressed tags parse fine by default (backwards compatible)
• Only rejected when validate_order=True is explicitly passed
• Fixed exception chaining (raise ... from None)
• Tests updated: unsorted tags valid by default, rejected with validate_order=True

[henryiii]

Mind running prek -a to clean up the new lines and such (or nox -s <something> should also be available)? I can if you prefer.

[r266-tech]

Done — pushed a fix for the trailing newline and line length. Thanks for the heads-up on prek!

[henryiii]

Wow, that's a strange test failure! The failure happens if you run the full test suite, but not if you run just tests/test_utils.py! Claude-haiku-4.5 in VSCode's copilot found the issue pretty quickly. There's a importlib.reload of tags.py in test_tags.py, which then causes this to be a different exception object than the one utils.py captures.

[henryiii]

I pulled the test fix out into #1152, this should work when that goes in.

[henryiii]

@woodruffw, @brettcannon, and/or @dstufft, since you engaged on #909, it would be nice to get a opinion here from at least one of you. I think opt-in is the best way to go for this legacy API, this looks good to me.

[brettcannon]

I think opt-in is the best way to go for this legacy API, this looks good to me.

I agree with that.

[woodruffw]

Yeah, opt-in seems reasonable given that it's a legacy API 🙂

[henryiii]

Thanks for these!