Validate `packages.index` is a URL in `pylock.toml`

[notatallshaw]

I've not checked the packaging code yet, but it doesn't validate in pip and I assume this needs to be fixed in packaging,

Here's an example:

lock-version = "1.0"
created-by = "demo"

[[packages]]
name = "click"
version = "8.3.3"
index = "not-a-url"

[[packages.wheels]]
name = "click-8.3.3-py3-none-any.whl"
url = "https://files.pythonhosted.org/packages/ae/44/c1221527f6a71a01ec6fbad7fa78f1d50dfa02217385cf0fa3eec7087d59/click-8.3.3-py3-none-any.whl"
size = 110502
[packages.wheels.hashes]
sha256 = "a2bf429bb3033c89fa4936ffb35d5cb471e3719e1f3c8a7c3fff0b8314305613"

In pip:

$ python -m pip install -r pylock.toml
WARNING: Using pylock.toml as a requirements source is an experimental feature. ...
Collecting click==8.3.3 (from pylock.toml)
  Using cached click-8.3.3-py3-none-any.whl
Successfully installed click-8.3.3

In uv:

$ uv pip install -r pylock.toml
error: Not a valid `pylock.toml` file: ./pylock.toml
  Caused by: TOML parse error at line 7, column 9
  |
7 | index = "not-a-url"
  |         ^^^^^^^^^^^
relative URL without a base: "not-a-url"

[sbidoul]

Note that at the moment packaging.pylock does not interpret nor attempts to validate path and url fields either, except for extracting the filename. We also don't have a notion of the base URL of the pylock document.

[notatallshaw]

Yeah, the context I found this is in writing a new lock generator, and my indexes have aliases and I accidentally wrote the alias name, not the index URL to the lock file, and pip installed the lock file fine but uv failed, I just fixed the bug.

It's not a pressing issue for me, but before we mark lock files no longer experimental in pip I think we should include this kind of validation.