Skip to content

Pin dependencies to specific indexes using UV's named index feature #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Pin dependencies to specific indexes using UV's named index feature #333

wants to merge 2 commits into from

Conversation

Copy link

Copilot AI commented Oct 20, 2025
edited
Loading

Overview

This PR addresses the requirement to pin dependencies in requirements.compiled to specific indexes, as mentioned in the issue referencing astral-sh/uv#171.

Problem

Previously, the dependency compiler used unnamed index URLs (--index-url and --extra-index-url) without explicitly specifying which indexes should be used during compilation. This approach:

  • Lacked explicit control over package sources
  • Could lead to ambiguity when the same package exists on multiple indexes
  • Made it harder to reproduce exact dependency resolution behavior

Solution

Updated the DependencyCompiler to use UV's named index feature:

  • --default-index <url> for the primary PyPI index
  • --index <name>=<url> for additional indexes (e.g., AMD/NVIDIA PyTorch indexes)

Changes Made

  1. Enhanced DependencyCompiler.Compile() method: Added an indexes parameter to accept a dictionary of named indexes, enabling explicit control over package sources during compilation.

  2. Added _build_indexes() helper method: Automatically constructs a dictionary of named indexes based on GPU configuration, mapping "pypi" to the main PyPI index and "amd"/"nvidia" to the appropriate PyTorch index.

  3. Updated compilation calls: Both make_override() and compile_core_plus_ext() now pass the indexes dictionary to ensure consistent use of named indexes throughout the compilation process.

Example

Before:

uv pip compile ... --index-strategy unsafe-best-match

After:

uv pip compile ... --default-index https://pypi.org/simple --index amd=https://download.pytorch.org/whl/rocm6.1 --index-strategy unsafe-best-match

Benefits

  • Explicit Control: Clear specification of which indexes to use for package resolution
  • Better Security: Reduces risk of dependency confusion attacks by explicitly naming package sources
  • Reproducibility: Ensures the same indexes are used when recreating compiled requirements
  • Backward Compatible: Output format remains compatible with pip and other tools (still outputs --index-url and --extra-index-url in the compiled file)

Testing

  • ✅ All 164 tests pass, including UV-specific tests
  • ✅ Ruff linting passes with no issues
  • ✅ CodeQL security scan: 0 vulnerabilities found
  • ✅ Manual verification confirms correct command format in generated files

Closes #[issue_number]

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • api.mixpanel.com
    • Triggering command: python3 -m pytest tests/ -v --tb=short (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Pin dependencies in requirements.compiled to specific index</issue_title>
<issue_description>Once this issue is closed

astral-sh/uv#171</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #189

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Pin dependencies in requirements.compiled to specific index Pin dependencies to specific indexes using UV's named index feature Oct 20, 2025
Copilot AI requested a review from snomiao October 20, 2025 18:34
Copilot finished work on behalf of snomiao October 20, 2025 18:34
@snomiao snomiao requested a review from robinjhuang October 21, 2025 03:57
@codecov
Copy link

codecov bot commented Oct 21, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@            Coverage Diff             @@
##             main     #333      +/-   ##
==========================================
+ Coverage   52.36%   52.54%   +0.18%     
==========================================
  Files          32       32              
  Lines        3516     3530      +14     
==========================================
+ Hits         1841     1855      +14     
  Misses       1675     1675
Files with missing lines Coverage Δ
comfy_cli/uv.py 56.87% <100.00%> (+2.36%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@snomiao snomiao Awaiting requested review from snomiao

@robinjhuang robinjhuang Awaiting requested review from robinjhuang

Assignees

@snomiao snomiao

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Pin dependencies in requirements.compiled to specific index

2 participants

@snomiao