Skip to content

fix(auth): Pipfile creds win netrc; expand env vars in pylock sources (#6670)#6671

Merged
matteius merged 1 commit into
mainfrom
fix/6670-env-var-source-url-auth
May 25, 2026
Merged

fix(auth): Pipfile creds win netrc; expand env vars in pylock sources (#6670)#6671
matteius merged 1 commit into
mainfrom
fix/6670-env-var-source-url-auth

Conversation

@matteius

Copy link
Copy Markdown
Member

Summary

Closes #6670 — restores authentication to private indexes when [[source]] URLs use environment-variable placeholders, regressed in 2026.6.1 by the GHSA-8xgg-v3jj-95m2 fix.

  • netrc precedence: write_credentials_netrc wrote our Pipfile-derived machine blocks BEFORE the appended existing user netrc. Python's netrc.authenticators() returns the LAST matching entry, so any stale system entry for the same host silently overrode the freshly-expanded creds. Reverse the order so our blocks come last and win the tie-break.
  • pylock expansion: PylockFile.convert_to_pipenv_lockfile assigned self.data[\"sources\"] raw, dropping env-var expansion on the [pipenv] use_pylock = true path. Mirror the legacy Lockfile.load behavior by running expand_url_credentials over each source URL.

Test plan

  • pytest tests/unit/test_credential_safety.py tests/unit/test_pylock.py (37 passed)
  • pytest tests/unit/test_utils.py tests/unit/test_lockfile.py tests/unit/test_pep691_client.py tests/unit/test_resolver_auth.py (broader sweep, 373 passed)
  • New regression tests:
    • test_write_credentials_netrc_pipfile_wins_over_existing_system_netrc
    • test_write_credentials_netrc_from_env_var_expanded_url
    • test_convert_to_pipenv_lockfile_expands_env_vars_in_source_urls

🤖 Generated with Claude Code

…#6670)

GHSA-8xgg-v3jj-95m2 moved credentials off pip's argv onto a merged
netrc, but the new ``write_credentials_netrc`` writes our Pipfile-derived
machine blocks BEFORE appending the user's existing netrc. Python's
``netrc.authenticators()`` returns the LAST matching entry for a host,
so any stale system entry for the same host silently overrode the
freshly-expanded creds — exactly the symptom of gh-6670 (env-var creds
in ``[[source]]`` fail to authenticate after the 2026.6.1 upgrade).
Reverse the order so the user's existing netrc lands first and our
blocks win the tie-break.

Defensively, the ``pylock.toml`` reader now runs
``expand_url_credentials`` over its sources too, mirroring
``Lockfile.load``; without this, users with ``[pipenv] use_pylock = true``
would see env-var auth silently fall through as literal ``${VAR}`` tokens.

Add unit regression tests for both paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@matteius matteius merged commit c1739c9 into main May 25, 2026
23 checks passed
@matteius matteius deleted the fix/6670-env-var-source-url-auth branch May 25, 2026 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Pipenv does not expand environment variables in source section

1 participant