[feature request] Support for explicit source/index specification on individual dependencies

[menzenski]

We currently use a mix of pyenv, pipx, and Poetry in our Python projects and I'm very interested in uv's potential to replace all of these tools.

One of the things that we want to be able to do is to use the public PyPI index by default, but use our internal Artifactory index for specific organization-internal dependencies. We don't want to search the public PyPI index for those private dependencies in case there's a public one with the same name, and we don't want everything to go through our Artifactory index because of the impact on cost from the data transfer.

With Poetry, we can do this via explicit sources - is there a way to accomplish the same sort of behavior with uv?

For example, our pyproject.toml file would include this configuration:

[tool.poetry.dependencies]
python = ">=3.11,<3.12"
my-private-package = {version = "^0.12.0", source = "private_artifactory"}
rich = "^13.7.1"

[[tool.poetry.source]]
name = "PyPI"
priority = "primary"

[[tool.poetry.source]]
name = "private_artifactory"
url = "https://<organization host>/artifactory/api/pypi/pypi/simple"
priority = "explicit"

[charliermarsh]

Thanks -- totally follow, we're tracking this here: #171

[menzenski]

ah, thanks! totally missed that in my searching.

[charliermarsh]

No prob! One thing to note: if you set your Artifactory index via extra-index-url, then by default, uv will not look in PyPI at all if a package exists in your Artifactory index. This differs from pip's behavior but protects you from dependency confusion attacks (your first requirement).

(I know it doesn't solve the second requirement of skipping your own index to save on data transfer.)