devpi-constrained 2.1.0

"devpi-constrained: an index for devpi-server that provides a constrained list of packages from it's bases"

devpi-constrained: releases filter for devpi-server

This plugin adds a constrained index to devpi-server. The constrained index is read-only and filters releases from its bases similar to Constraints Files in pip.

Installation

devpi-constrained needs to be installed alongside devpi-server to enable constrained indexes.

You can install it with:

pip install devpi-constrained

There is no configuration needed as devpi-server will automatically discover the plugin through calling hooks using the setuptools entry points mechanism.

Motivation

It is often useful to filter Python packages available for installation. For example:

• Filter package versions with known security issues

• Provide a “Known Good Set” of packages which have been tested

• Prevent installation of packages with incompatible licenses

• Only allowing vetted packages

• Block package versions with breaking changes

With devpi-constrained it is possible to provide a package index which enables all of the above and more.

Usage

Create a constrained index with root/pypi as base:

$ devpi index -c prod/devpi type=constrained bases=root/pypi
https://example.com/prod/devpi:
  type=constrained
  bases=root/pypi
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  constraints=
  mirror_whitelist=

$ devpi use prod/devpi

With no constraints set, all releases are available from root/pypi.

Lets add a constraint for pip:

$ devpi index constraints+="pip==6.0"
/prod/devpi constraints+=pip==6.0
https://example.com/prod/devpi?no_projects=:
  type=constrained
  bases=root/pypi
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  constraints=pip==6.0
  mirror_whitelist=

Now only pip 6.0 will be listed when looking for releases of pip:

$ devpi list --all pip
http://localhost:3141/root/pypi/+f/610/3897f1bb68d3f/pip-6.0.tar.gz
http://localhost:3141/root/pypi/+f/5ec/6732505bd8be4/pip-6.0-py2.py3-none-any.whl

All other packages are still unconstrained.

To block everything else we add the * constraint:

$ devpi index constraints+="*"
/prod/devpi constraints+=*
https://example.com/prod/devpi?no_projects=:
  type=constrained
  bases=root/pypi
  volatile=True
  acl_upload=root
  acl_toxresult_upload=:ANONYMOUS:
  constraints=pip==6.0,*
  mirror_whitelist=

This is the difference to pip constraints, where this isn’t possible.

$ devpi list --all devpi-server
GET https://example.com/prod/devpi/devpi-server/
404 Not Found: no project 'devpi-server'

The constraints option can be set in bulk from a file. Create a file constraints.txt with each constraint in one line:

pip<8,>4
# a comment
devpi-server>=4

Set the constraints option on your index from the file:

$ devpi index constraints="$(cat constraints.txt)"

Legacy versions

Support for legacy (non PEP440) versions is limited. When the constraint contains any filtering on the version, then no legacy version will pass. Technically legacy versions sort before any PEP440 compliant version, but the packaging library doesn’t expose the operator publicly in an easily usable way, so this compromise was chosen to not have to deal with possibly changing internals.

Changelog

2.1.0 - 2026-05-08

• With devpi-server 7.0.0 filtering when inheriting from a constrained index works as expected. [fschulze]

• Fix version filtering with “*” (all) constraint. [fschulze]

• Rudimentary support for legacy (non PEP440) versions. [fschulze]

• Require devpi-server >= 6.10.0. [fschulze]

• Add support for Python 3.12, 3.13 and 3.14. [fschulze]

• Fix devpi import/export [amoutaux (Aurélien Moutaux)]

2.0.1 - 2023-03-18

• Fix filtering of simple links page. [EvaSDK (Gilles Dartiguelongue)]

2.0.0 - 2023-02-21

• Remove support for Python <= 3.6. [fschulze]

• Add testing for Python 3.8, 3.9, 3.10, 3.11 and PyPy-3.7. [fschulze]

• Require devpi-server >= 6.2.0. [fschulze]

1.0.0 - 2019-08-05

• Initial release. [fschulze (Florian Schulze)]