Support upload-time from Simple Repository API (PEP 700) for release timestamps #41916
thejoeejoee
started this conversation in
Suggest an Idea
Replies: 1 comment 1 reply
-
|
Adding PEP 700 |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
what, XMLRPC? 😄 |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Problem
When Renovate resolves Python packages from registries that only expose the Simple Repository API (e.g. Artifactory, devpi, custom mirrors),
releaseTimestampis not populated —minimumReleaseAgeand related features don't work.This is because
getSimpleDependency()currently only parses the HTML response, which has no timestamp data. ThereleaseTimestampNoteexplicitly says: "This field is not available when using the simple API."Users with private registries have reported this gap before (see #20070, #24829).
Proposed change
PEP 700 (accepted, API version 1.1) added an
upload-timefield to the JSON serialization of the Simple Repository API (spec). PyPI.org and compliant registries already serve this data.The implementation would:
Acceptheader requesting the JSON format (application/vnd.pypi.simple.v1+json) when calling the Simple APIupload-timefrom each file and derivereleaseTimestampper versionThis is fully backward-compatible: servers that don't support JSON content negotiation will continue to work exactly as they do today.
Who benefits
minimumReleaseAgesupport/pypi/<pkg>/json) is unaffected — it already provides timestamps via a different mechanismImplementation
I have a working implementation ready as a PR. It modifies only
getSimpleDependency()inlib/modules/datasource/pypi/index.ts— the JSON API path (getDependency()) and URL routing ingetReleases()are untouched.Beta Was this translation helpful? Give feedback.
All reactions