fix(auth): write PIPENV_PYPI_MIRROR credentials to resolver netrc (#6677)#6678
Open
matteius wants to merge 3 commits into
Open
fix(auth): write PIPENV_PYPI_MIRROR credentials to resolver netrc (#6677)#6678matteius wants to merge 3 commits into
matteius wants to merge 3 commits into
Conversation
Signed-off-by: Matt Davis <matteius@gmail.com>
) The GHSA-8xgg-v3jj-95m2 fix moved index credentials off pip's argv onto a temporary netrc that pip reads. The resolver subprocess prepends a mirror source built from PIPENV_PYPI_MIRROR (which is where the user's credentials live), but the parent wrote the resolver netrc from the un-mirrored project.pipfile_sources() — so the mirror's credentials were dropped. Pip then received the mirror URL with credentials stripped from argv and no matching netrc entry, producing 401 / ResolutionFailure ("No matching distribution found") for any private index configured via PIPENV_PYPI_MIRROR with embedded user:pass auth, starting in v2026.6.0. _set_resolver_netrc now applies the same replace_pypi_sources / mirror substitution the resolver subprocess uses, so the mirror credentials reach the netrc again. Adds a unit regression test mirroring the issue's config. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Fixes #6677. Since v2026.6.0,
pipenv installfails withResolutionFailure: No matching distribution foundwhen a private index is configured viaPIPENV_PYPI_MIRRORwith embedded credentials (e.g.https://user:pass@mirror.example.com). The credentials are silently dropped and the index returns401 Unauthorized.Root cause
v2026.6.0 shipped the GHSA-8xgg-v3jj-95m2 fix, which stopped placing index credentials on pip's argv (visible via
ps//proc/<pid>/cmdline) and instead writes them to a temporary netrc that pip reads.The regression is an asymmetry in how
PIPENV_PYPI_MIRRORis applied:pipenv/resolver.py) prepends a mirror source built fromPIPENV_PYPI_MIRRORviareplace_pypi_sources(...)— and that mirror URL is where the user's credentials live._set_resolver_netrc(pipenv/utils/resolver.py) fromproject.pipfile_sources(), which does not include the mirror substitution.So the mirror's credentials never reached the netrc. Pip then received the mirror URL with credentials stripped from argv and found no matching netrc entry →
401→ResolutionFailure.This is a different path than #6670 (which handled
${VAR}placeholders in[[source]]URLs and netrc ordering); this one is thePIPENV_PYPI_MIRRORenv var being skipped entirely when building the resolver netrc.Fix
_set_resolver_netrcnow applies the samereplace_pypi_sources(..., create_mirror_source(...))substitution the resolver subprocess uses, so the mirror's credentials flow into the netrc again — restoring pre-2026.6.0 behavior without putting secrets back on argv.Tests
Adds
test_set_resolver_netrc_includes_pypi_mirror_credentials, a unit regression test mirroring the issue's config (a custom-host source namedpypiwith credentials only inPIPENV_PYPI_MIRROR). Fulltests/unit/test_credential_safety.pysuite passes (17 passed).Note
The install-time source builder (
get_source_list) only substitutes the mirror forpypi.org/simplesources, whereas resolution always prepends it. The canonical authed-mirror case (Pipfile sourcehttps://pypi.org/simple+ mirror) already gets credentials into the install netrc and works; the reported failure is at resolution, which this fixes. Broadeningget_source_listto honorPIPENV_PYPI_MIRRORfor arbitrary custom-host sources would be a separate behavior change.🤖 Generated with Claude Code