Add Package-Level Fallback as an Optional Feature in Artifact Registry Virtual Repositories [385155400]

Bug

Status Update

No update yet.

Description

al...@doit.com

created issue #1

Dec 20, 2024 09:54AM

Hi team,

Problem Encountered:

Artifact Registry virtual repositories currently prioritize upstream repositories at the version level. When installing a package without specifying a version, pip defaults to the latest available version from any upstream repository, often bypassing the private repository if the specific version is missing. This behaviour limits the ability to fully prioritize private repositories and weakens protection against dependency confusion attacks.

What We Expected to Happen:

We expected an option for package-level fallback, where any package request—whether versioned or unversioned—first defaults to the private repository (higher-priority upstream). Only if the entire package is absent should the virtual repository consider lower-priority upstream repositories like PyPi.

Steps to Reproduce:

Configure an Artifact Registry virtual repository with two upstream:
- A private repository with higher priority.
- A remote repository proxying PyPi with lower priority.
Add a specific version of a package to the private repository.
Install the package using pip without specifying a version (e.g., pip install <package>).

Observed Result:

pip defaults to the latest version available from PyPi, even when a version exists in the private repository. The priority configuration is applied only at the version level.

Workarounds Tried:

Implementing version pinning in requirements.txt ensures that the private repository is selected but increases maintenance complexity.
Configuring pip to search only the virtual repository does not resolve the fallback behaviour for unversioned requests.

Feature Request:

Introduce an optional setting for package-level fallback in Artifact Registry virtual repositories. With this feature enabled:

The virtual repository would prioritize the private repository entirely for package requests, regardless of version.
Lower-priority repositories would only be consulted if the requested package is completely absent from the higher-priority repositories.

Thank you!

Comments

al...@doit.com <al...@doit.com> #2Dec 20, 2024 10:33AM

Hi, could you please share screen shots of the UI you refer? Currently in the Cloud Source Repositories UI, in the top you will find:

YourRepository > Branch > file

You have a drop down in Repository and in Branch to change anytime.

Issue 385155400

Description

Issue summary

Comments

al...@doit.com <al...@doit.com> #2Dec 20, 2024 10:33AM

Add comment

Issue metadata