🐛 fix(install): keyring auth and URL constraint handling#1759
Merged
gaborbernat merged 3 commits intopypa:mainfrom Mar 21, 2026
Merged
🐛 fix(install): keyring auth and URL constraint handling#1759gaborbernat merged 3 commits intopypa:mainfrom
gaborbernat merged 3 commits intopypa:mainfrom
Conversation
pipx passes --no-input to pip, which implicitly disables keyring. The venv also lacks keyring as a library, so pip can't import it. This breaks users who authenticate to private package indexes (Azure Artifacts, Artifactory) via keyring. Setting PIP_KEYRING_PROVIDER=subprocess tells pip to invoke the system-installed keyring CLI instead of importing it. The subprocess provider works with --no-input and gracefully no-ops when keyring isn't installed. Uses setdefault so users can override. Closes pypa#1603
Add pytest to mypy's additional_dependencies in pre-commit config and add future annotations import for 3.9 support.
Now that pytest is in mypy's additional_dependencies, the import-not-found ignores are unnecessary. Also convert skip() to skipif marker to fix unreachable error.
2b7207d to
919298c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
pipx installfrom private indexes silently failed keyring-based authentication because pip defaults--keyring-providertodisabled. SettingPIP_KEYRING_PROVIDER=subprocessin the subprocess environment enables pip to call out to the system keyring for credentials, matching how pip behaves when invoked directly. The env var usessetdefaultso users who explicitly configure a different provider are not overridden.Separately, since 1.7.0
parse_specifier_for_install()callsPath.resolve()on-c/--constraintarguments unconditionally, turning URLs likehttps://example.com/constraints.txtinto bogus local paths. 🔗 The fix checks for a URL scheme viaurlsplit()before resolving, so URLs pass through untouched while local paths still get resolved.Also removes stale
type: ignore[import-not-found]comments on pytest imports across test files, now that pytest is declared as a mypy dependency in pre-commit config.Fixes #1582, fixes #1603