Breaking change in Warehouse breaks poetry lock file creation

[cyraxjoe]

• I am on the latest Poetry version.
• I have searched the issues of this repo and believe that this is not a duplicate.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• Linux/Debian bookworm:
• 1.2.0b2:
• Sample pyproject:

Issue

The warehouse project (backend of pypi.org) applied a breaking change that affects poetry lock the releases key is no longer present in the responses, required for the pypi_repository implementation.

It can be easily verified by removing the local cache and inspecting the generated lock file, it would have an empty metadata.files property, something like:

[[package]]
name = "beautifulsoup4"
version = "4.11.1"
description = "Screen-scraping library"
category = "main"
optional = false
python-versions = ">=3.6.0"

[package.dependencies]
soupsieve = ">1.2"

[package.extras]
html5lib = ["html5lib"]
lxml = ["lxml"]

[[package]]
name = "soupsieve"
version = "2.3.2.post1"
description = "A modern CSS selector implementation for Beautiful Soup."
category = "main"
optional = false
python-versions = ">=3.6"

[metadata]
lock-version = "1.1"
python-versions = "^3.10"
content-hash = "36fc53f6339e375f6295378c7a8ecea11e3a04ba0adcbfa7aeb812e30500aad0"

[metadata.files]
beautifulsoup4 = []
soupsieve = []

[Kurt-von-Laven]

I can confirm that this issue is also affecting Poetry 1.1.13 as it is taking down all of our builds.

[novotl]

👍 We're seeing the same with Poetry 1.1.8

[dimbleby]

I suspect a lot of people are about to learn a hard lesson about the dangers of relying on public repositories....

diff --git a/src/poetry/repositories/pypi_repository.py b/src/poetry/repositories/pypi_repository.py
index 0e5beab6..142b29d8 100644
--- a/src/poetry/repositories/pypi_repository.py
+++ b/src/poetry/repositories/pypi_repository.py
@@ -204,7 +204,7 @@ class PyPiRepository(HTTPRepository):
         )

         try:
-            version_info = json_data["releases"][version]
+            version_info = json_data["urls"]
         except KeyError:
             version_info = []

looks like it should fix things on master.

[mkniewallner]

#5972 draft for now, because there may be other places where releases is used, don't know the codebase well enough.
Tested locally, and it seems to work fine.

Also backported the change for 1.1 in https://github.com/mkniewallner/poetry/commits/fix/fix-releases-key-pypi-repository-1.1

[finswimmer]

Thanks a lot everyone for reporting, debugging and starting a PR 👍 Will have a look at your PR @mkniewallner