devpi-server 6.19.2

devpi-server: backend for hosting private package indexes and PyPI on-demand mirrors

devpi-server: backend for hosting private package indexes and PyPI on-demand mirrors

PyPI on-demand package mirror

You can point uv, pip or another Python package installer to the root/pypi/+simple/ index, serving as a transparent on-demand mirror for PyPI-hosted packages.

User specific indexes

Each user (which can represent a person, project or team) can have multiple indexes, and can upload packages and documents to these indexes via standard twine or setup.py invocations. Users and indexes can be manipulated through devpi-client and a RESTful HTTP API.

Index inheritance

Each index can be configured to merge in other indexes so that it serves both its uploads and all releases from other index(es). For example, an index using root/pypi as a parent is a good place to test out a release candidate before you push it to PyPI.

Sensible defaults for a low friction deployment

Get started easily and deploy a devpi-server instance with pre-configured templates for nginx and process managers.

Separate tool for Packaging/Testing activities

The complementary devpi-client tool helps to manage users, indexes, logins and typical package upload and installation workflows.

See https://doc.devpi.net on how to get started and further documentation.

Support

If you find a bug, use the issue tracker at Github.

For general questions, use GitHub Discussions or the devpi-dev@python.org mailing list.

For support contracts and paid help, contact mail at pyfidelity.com.

Changelog

6.19.2 (2026-03-17)

Bug Fixes

• Preserve log for documentation uploads in export.

• Any missing file on mirrors will be ignored during event processing as is already the case in other places.

• Use short timeout when project list is requested for has_project call on mirrors instead of the long one used for list_projects. This prevents installers from timing out and retrying several times.

• Fix error handling for proxy requests from replica to primary.

Other Changes

• Removed limit of reported missing files for devpi-fsck.

6.19.1 (2026-02-09)

Bug Fixes

• Pin setuptools as pyramid still requires pkg_resources.

• Always allow replicas to access deleted releases to get the proper 410 Gone instead of 403 Forbidden when devpi-lockdown is in use.

6.19.0 (2026-02-06)

Features

• Add --autocreate-users server option. Automatically creates users that don’t exist in devpi, but have successfully authenticated via an authentication plugin. A typical example of when to enable this would be when authenticating via an LDAP directory. Automatically created users do not have passwords, and have no password hash to prevent local authentication.

• Add replica-files-in-sync-at, replica-init-queue-finished-at and replica-metadata-in-sync-at to status view, the existing replica-in-sync-at is now a combination of all three instead of just metadata.

• Warn when an unknown option is found in config file to detect typos. Be aware that some commands don’t use all the options, that is why this only warns instead of exiting.

• Add new devpiserver_user_created hook which can be used to create default indexes or other setup for newly created users.

Bug Fixes

• Fix +status json encoding errors by making sure the FatalResponse.url attribute is a string.

• Ignore existing unknown index options from uninstalled plugins when patching other options with += and -=.

• Fix removal with -= of index options with default values from devpiserver_indexconfig_defaults hooks.

• Fix #1110: a list for the listen option in a config file stopped working in 6.18.0.

6.18.0 (2026-01-27)

Features

• Store all available hashes of files.

• Validate hashes of all files during devpi-import, not only releases.

Bug Fixes

• Apply argparse transformations on values read from config file or environment.

• Restore Python and platform info in user agent string after switch to httpx.

• Remove all database entries on project deletion instead of only emptying them.

• Fix error at end of replica streaming caused by changed behavior from switch to httpx.

• Fix #1102: The data stream was cut off after 64k when proxying from replica to primary after switching to httpx.

• Fix #1107: retry file downloads if there has been an error during download.

Other Changes

• The filenames of some exported doczip files change due to normalization of the project name caused by changing the internals during export to allow --hard-links to work.

6.17.0 (2025-08-27)

Deprecations and Removals

• Dropped support for migrating old password hashes that were replaced in devpi-server 4.2.0.

• Removed support for basic authorization in primary URL. The connection is already secured by a bearer token header.

• Removed the experimental --replica-cert option. The replica is already using a token via a shared secret, so this is redundant.

• Removed --replica-max-retries option. It wasn’t implemented for async_httpget and didn’t work correctly when streaming data.

Features

• Use httpx for all data fetching for mirrors and fetch projects list asynchronously to allow update in background even after a timeout.

• Use httpx instead of requests when proxying from replicas to primary.

• Use httpx for all requests from replicas to primary.

• Use httpx when pushing releases to external index.

• Added mirror_ignore_serial_header mirror index option, which allows switching from PyPI to a mirror without serials header when set to True, otherwise only stale links will be served and no updates be stored.

• The HTTP cache information for mirrored projects is persisted and re-used on server restarts.

• Added --file-replication-skip-indexes option to skip file replication for all, by index type (i.e. mirror) or index name (i.e. root/pypi).

Bug Fixes

• Correctly handle lists for Provides-Extra and License-File metadata in database.

• Fix traceback by returning 401 error code when using wrong password with a user that was created using an authentication plugin like devpi-ldap which passes authentication through in that case.

• Fix #1053: allow users to update their passwords when --restrict-modify is used.

• Fix #1097: return 404 when trying to POST to +simple.

Other Changes

• Changed User-Agent when fetching data for mirrors from just “server” to “devpi-server”.