Fix direct URL dependencies not stored in lockfile

matteius · matteius · commit cf4c3ec1bc8e · 2025-12-14T22:36:58.000-05:00
When a package has an extra dependency with a direct URL using PEP 508 syntax (e.g., my-package @ https://server.com/my-package-1.0.0.whl), the URL was not being stored in the lockfile. This caused pipenv to fall back to searching PyPI for the package, which would fail if the package is only available at the private URL. Root cause: format_requirement_for_lockfile only checked for req.link.is_file (which only matches file:// URLs), but not for remote HTTP/HTTPS URLs. The fix adds handling for http and https schemes, storing the URL in the 'file' key of the lockfile entry (same as file:// URLs). Fixes #5967
diff --git a/pipenv/utils/locking.py b/pipenv/utils/locking.py
@@ -85,8 +85,14 @@ def format_requirement_for_lockfile(
             entry["version"] = str(req.req.specifier)
         elif req.specifier:
             entry["version"] = str(req.specifier)
-        if req.link and req.link.is_file:
-            entry["file"] = req.link.url
+        if req.link:
+            if req.link.is_file:
+                entry["file"] = req.link.url
+            elif req.link.scheme in ("http", "https"):
+                # Handle direct URL dependencies (PEP 508 style: package @ https://...)
+                entry["file"] = req.link.url
+                entry.pop("version", None)  # URL deps don't need version
+                entry.pop("index", None)  # URL deps don't use index
     # Add index information
     if name in index_lookup:
         entry["index"] = index_lookup[name]
diff --git a/tests/unit/test_utils.py b/tests/unit/test_utils.py
@@ -779,3 +779,143 @@ def get_value(self, key):
             assert project.default_source["url"] in [primary_index, extra_index]
         finally:
             os.chdir(original_dir)
+
+
+class TestFormatRequirementForLockfile:
+    """Tests for format_requirement_for_lockfile in locking.py.
+
+    These tests verify that various requirement types are correctly formatted
+    for the lockfile, including direct URL dependencies (PEP 508 style).
+    """
+
+    def test_direct_url_dependency_https(self):
+        """Test that HTTPS direct URL dependencies are stored in lockfile.
+
+        This is the fix for issue #5967 - when a package has an extra dependency
+        with a direct URL like:
+            my-private-dependency @ https://my-private-artifactory/.../package.whl
+        The URL should be stored in the lockfile entry.
+        """
+        from pipenv.patched.pip._internal.models.link import Link
+        from pipenv.patched.pip._internal.req.constructors import (
+            install_req_from_line,
+        )
+        from pipenv.utils.locking import format_requirement_for_lockfile
+
+        # Create an InstallRequirement with a direct HTTPS URL (PEP 508 style)
+        req_str = "my-private-package @ https://my-artifactory.com/api/pypi/repo/my-private-package/1.0.0/my-private-package-1.0.0-py3-none-any.whl"
+        req = install_req_from_line(req_str)
+
+        # Verify the link properties
+        assert req.link is not None
+        assert req.link.scheme == "https"
+        assert req.link.is_file is False
+        assert req.link.is_vcs is False
+
+        # Format for lockfile
+        name, entry = format_requirement_for_lockfile(
+            req,
+            markers_lookup={},
+            index_lookup={},
+            original_deps={},
+            pipfile_entries={},
+            hashes=None,
+        )
+
+        # Verify the URL is stored in the lockfile entry
+        assert name == "my-private-package"
+        assert "file" in entry, "Direct URL should be stored in 'file' key"
+        assert entry["file"] == "https://my-artifactory.com/api/pypi/repo/my-private-package/1.0.0/my-private-package-1.0.0-py3-none-any.whl"
+        assert "version" not in entry, "URL deps should not have version"
+        assert "index" not in entry, "URL deps should not have index"
+
+    def test_direct_url_dependency_http(self):
+        """Test that HTTP direct URL dependencies are stored in lockfile."""
+        from pipenv.patched.pip._internal.req.constructors import (
+            install_req_from_line,
+        )
+        from pipenv.utils.locking import format_requirement_for_lockfile
+
+        # Create an InstallRequirement with a direct HTTP URL
+        req_str = "example-package @ http://internal-server.local/packages/example-package-2.0.0.tar.gz"
+        req = install_req_from_line(req_str)
+
+        # Verify the link properties
+        assert req.link is not None
+        assert req.link.scheme == "http"
+
+        # Format for lockfile
+        name, entry = format_requirement_for_lockfile(
+            req,
+            markers_lookup={},
+            index_lookup={},
+            original_deps={},
+            pipfile_entries={},
+            hashes=None,
+        )
+
+        # Verify the URL is stored
+        assert name == "example-package"
+        assert "file" in entry
+        assert entry["file"] == "http://internal-server.local/packages/example-package-2.0.0.tar.gz"
+
+    def test_file_url_dependency(self):
+        """Test that local file:// URLs are still handled correctly."""
+        from pipenv.patched.pip._internal.req.constructors import (
+            install_req_from_line,
+        )
+        from pipenv.utils.locking import format_requirement_for_lockfile
+
+        # Create an InstallRequirement with a file:// URL
+        req_str = "local-package @ file:///home/user/packages/local-package-1.0.0.whl"
+        req = install_req_from_line(req_str)
+
+        # Verify the link properties
+        assert req.link is not None
+        assert req.link.scheme == "file"
+        assert req.link.is_file is True
+
+        # Format for lockfile
+        name, entry = format_requirement_for_lockfile(
+            req,
+            markers_lookup={},
+            index_lookup={},
+            original_deps={},
+            pipfile_entries={},
+            hashes=None,
+        )
+
+        # Verify the URL is stored
+        assert name == "local-package"
+        assert "file" in entry
+        assert entry["file"] == "file:///home/user/packages/local-package-1.0.0.whl"
+
+    def test_regular_pypi_dependency(self):
+        """Test that regular PyPI dependencies still work correctly."""
+        from pipenv.patched.pip._internal.req.constructors import (
+            install_req_from_line,
+        )
+        from pipenv.utils.locking import format_requirement_for_lockfile
+
+        # Create a regular PyPI requirement
+        req_str = "requests==2.28.0"
+        req = install_req_from_line(req_str)
+
+        # Regular requirements don't have a link
+        assert req.link is None
+
+        # Format for lockfile
+        name, entry = format_requirement_for_lockfile(
+            req,
+            markers_lookup={},
+            index_lookup={},
+            original_deps={},
+            pipfile_entries={},
+            hashes=None,
+        )
+
+        # Verify version is stored, not URL
+        assert name == "requests"
+        assert "version" in entry
+        assert entry["version"] == "==2.28.0"
+        assert "file" not in entry
