For what it’s worth, we don’t record any credentials in uv.lock; they all get redacted (from index URLs, Git URLs, etc.), and we require that users provide them at install-time.
(This is about recording dependencies and dependents.) We do this in uv.lock since we record the entire graph. In the context of this spec, though, that’s less relevant. It is useful for things like uv tree where we should you why each package is included (like, the path of dependencies that led to it being required). I think it’s useful to be allowed to record it, but it doesn’t seem like a requirement.
By the way: are we referring to recording the requirements, or the resolved dependencies? Like flask>=1, or a “reference” to flask==1.0.5 in the lockfile?
We don’t support this, but I think the closest thing is this issue: Request for `uv.lock` to support different index urls across different developer machines and CI environments · Issue #6349 · astral-sh/uv · GitHub. The user says that in their setup, every developer has a different index URL, which is a proxy pointing to the registry. So they want to be able to “swap out” the index URL at install time. I think this is roughly what you’re describing? I had proposed adding some API on our end that lets users declare a URL as a proxy for another URL, like:
[[tool.uv.index]]
name = "private"
url = "https://private.org/simple"
proxy = "http://<omitted>/pypi/simple"
Then, at install time, we’d basically just replace references to https://private.org/simple with http://<omitted>/pypi/simple. But we haven’t implemented it yet.
P.S. Separately, this is sort of pedantic, but is it actually a requirement in the Simple API that no two distributions have the same name? It sounds like a silly question, but I’ve genuinely considered having a Simple API return a concatenated list of distributions from two other registries, which would lead to all URLs being unique but some filenames overlapping. I don’t think that’s a spec violation but I’m guessing I’m wrong. (I think if we allowed users to provide just an index plus a filename, we’d effectively be encoding this requirement.)