From bd954493eff50a87d21c6ae91bd7b7dffa8bbe6a Mon Sep 17 00:00:00 2001 From: Shiyuan Zheng Date: Wed, 11 Feb 2026 22:40:21 -0800 Subject: [PATCH] fix: handle wheels without hash digests from private registries Private PyPI registries (e.g., Azure Artifacts, Artifactory) may not serve PEP 503 hash fragments in download URLs. This causes KeyError when `_whl_repo_name` and `_raw_whl_repos` unconditionally access `whl["hash"]`. Fall back to `sha1(whl["url"])[:8]` for repo naming and empty string for shasum when hash is missing. Fixes #790 --- uv/private/extension.bzl | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/uv/private/extension.bzl b/uv/private/extension.bzl index 219a19a4..efc77e64 100644 --- a/uv/private/extension.bzl +++ b/uv/private/extension.bzl @@ -470,9 +470,12 @@ def _raw_sdist_repos(_module_ctx, lock_specs, override_specs): def _whl_repo_name(package, whl): """Get the repo name for a whl.""" + # Use hash when available, fall back to URL-based identifier for wheels + # from private registries that don't serve PEP 503 hash fragments. + identifier = whl["hash"][len("shasum:"):][:8] if "hash" in whl else sha1(whl["url"])[:8] return "whl__{}__{}".format( package["name"], - whl["hash"][len("shasum:"):][:8], + identifier, ) def _raw_whl_repos(_module_ctx, lock_specs, override_specs): @@ -488,7 +491,10 @@ def _raw_whl_repos(_module_ctx, lock_specs, override_specs): wheels = package.get("wheels", []) for whl in wheels: url = whl["url"] - shasum = whl["hash"][len("sha256:"):] + + # Wheels from private registries may lack hash digests + # when the registry doesn't serve PEP 503 hash fragments. + shasum = whl["hash"][len("sha256:"):] if "hash" in whl else "" # FIXME: Do we need to factor in the shasum or source her? Could # have two or more sources for one "artifact".