feat(pypi): add support for JSON-based Simple API (PEP 691)#44222
Open
felipecrs wants to merge 11 commits into
Open
feat(pypi): add support for JSON-based Simple API (PEP 691)#44222felipecrs wants to merge 11 commits into
felipecrs wants to merge 11 commits into
Conversation
|
I swear @felipecrs, everyone I go on GitHub, I run into you =). You might remember me by my non-work user @shadycuz. Thanks for this fix, this issue has been a headache at work. |
Contributor
Author
|
Of course I remember you! From groovy-guru! |
|
Looking forward to this one! |
Contributor
11 tasks
RahulGautamSingh
left a comment
Collaborator
There was a problem hiding this comment.
Thanks for the improvements!
Code looks good to me and approach 1 is the way to go, we have not implemented approach 2 for other datasources as well, as it needs too many API requests.
Contributor
Author
|
Thanks a lot for the review, @RahulGautamSingh! But I'll incorporate some changes from @ahippler's #44182 and add him as co-author. Marking as draft for now. EDIT: Done. |
d962b2f to
4ec5e9a
Compare
Co-authored-by: Andreas Hippler <andreas.hippler@goto.com>
RahulGautamSingh
approved these changes
Jun 30, 2026
RahulGautamSingh
left a comment
Collaborator
There was a problem hiding this comment.
lgtm otherwise.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Renovate has currently two methods for looking up pypi updates:
https://pypi.org/simple/<package>, which only supports listing versionshttps://pypi.org/pypi/<package>/json, which supportsreleaseTimestamp, andsourceUrldetectionThe problem is:
For method 2, Renovate relies on the
releaseskey in the JSON response. Thereleaseskey is deprecated (ref), andhttps://pypi.org/pypi/<package>/jsonmay drop it at any time. When it does, this method will stop working entirely.This is already the case for some private registries like Artifactory. For Artifactory remote repositories, the
releaseskey is still there since it proxieshttps://pypi.org/pypi/<package>/json. But for local repositories, Artifactory already omitsreleasesfrom the response, making Renovate unable to lookup releases in such case.The only alternative for now is to use
registryUrl=https://example.com/artifactory/api/pypi/example-pypi-local/simple/instead, but then Renovate will not extract release timestamps (meaningminimumReleaseAgewon't work).I believe the ultimate solution for this is:
Support JSON-based Simple API (docs) (introduced as PEP 691) when resolving
/simple/<package>.upload-timewhich can be used to detectreleaseTimestamp.https://pypi.org/simple/<package>already supports it.Refactor PyPI JSON to extract release metadata from
https://pypi.org/pypi/<package>/json/<package>/<version>(docs)https://pypi.org/pypi/<package>/json, first retrieve the available versions from the PyPI Simple (as suggested by their documentation), and then query every individual release throughhttps://pypi.org/pypi/<package>/json/<package>/<version>As mentioned above, this PR implements solution 1. If the Simple API returns JSON upon request, we use it and extract
releaseTimestamps. If not, we fallback to HTML parsing like before.Relates to #20070
PS: I started working on this PR before realizing #41916, of which the author stated that he had a working PR (#44182). Apologies!
Context
Please select one of the following:
AI assistance disclosure
Did you use AI tools to create any part of this pull request?
Please select one option and, if yes, briefly describe how AI was used (e.g., code, tests, docs) and which tool(s) you used.
Claude Opus 4.6 was used to generate the initial code changes.
Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via:
The public repository: https://github.com/felipecrs/renovate-repro-pip-pep-691
Important
To verify this against https://pypi.org/simple/, this line needs to be changed in lib/modules/datasource/pypi/index.ts:
I believe we should consider removing that from Renovate as a separate PR, as that prevents users from setting their own
registryUrl=https://pypi.org/simple/. As mentioned above, retrieving releases from https://pypi.org/pypi/ may stop working at any time.