fix: only consider package links for sdist and bdist_wheels (#5767)

Only follow and lock links for packages of type `sdist` or `bdist_wheel`
in PyPi repository.

Closes: https://github.com/python-poetry/poetry/issues/3649
Closes: https://github.com/python-poetry/poetry/issues/4903

(This is a port of https://github.com/python-poetry/poetry/pull/3656.)

src/poetry/repositories/pypi_repository.py

@@ -25,11 +25,12 @@ cache_control_logger.setLevel(logging.ERROR)
 
 
 logger = logging.getLogger(__name__)
 logger = logging.getLogger(__name__)
 
 
-
 if TYPE_CHECKING:
 if TYPE_CHECKING:
     from packaging.utils import NormalizedName
     from packaging.utils import NormalizedName
     from poetry.core.semver.version_constraint import VersionConstraint
     from poetry.core.semver.version_constraint import VersionConstraint
 
 
+SUPPORTED_PACKAGE_TYPES = {"sdist", "bdist_wheel"}
+
 
 
 class PyPiRepository(HTTPRepository):
 class PyPiRepository(HTTPRepository):
     def __init__(
     def __init__(
@@ -165,8 +166,9 @@ class PyPiRepository(HTTPRepository):
 
 
         links = []
         links = []
         for url in json_data["urls"]:
         for url in json_data["urls"]:
-            h = f"sha256={url['digests']['sha256']}"
-            links.append(Link(url["url"] + "#" + h, yanked=self._get_yanked(url)))
+            if url["packagetype"] in SUPPORTED_PACKAGE_TYPES:
+                h = f"sha256={url['digests']['sha256']}"
+                links.append(Link(url["url"] + "#" + h, yanked=self._get_yanked(url)))
 
 
         return links
         return links
 
 
@@ -201,12 +203,13 @@ class PyPiRepository(HTTPRepository):
             version_info = []
             version_info = []
 
 
         for file_info in version_info:
         for file_info in version_info:
-            data.files.append(
-                {
-                    "file": file_info["filename"],
-                    "hash": "sha256:" + file_info["digests"]["sha256"],
-                }
-            )
+            if file_info["packagetype"] in SUPPORTED_PACKAGE_TYPES:
+                data.files.append(
+                    {
+                        "file": file_info["filename"],
+                        "hash": "sha256:" + file_info["digests"]["sha256"],
+                    }
+                )
 
 
         if self._fallback and data.requires_dist is None:
         if self._fallback and data.requires_dist is None:
             self._log("No dependencies found, downloading archives", level="debug")
             self._log("No dependencies found, downloading archives", level="debug")
@@ -219,7 +222,7 @@ class PyPiRepository(HTTPRepository):
             for url in json_data["urls"]:
             for url in json_data["urls"]:
                 # Only get sdist and wheels if they exist
                 # Only get sdist and wheels if they exist
                 dist_type = url["packagetype"]
                 dist_type = url["packagetype"]
-                if dist_type not in ["sdist", "bdist_wheel"]:
+                if dist_type not in SUPPORTED_PACKAGE_TYPES:
                     continue
                     continue
 
 
                 urls[dist_type].append(url["url"])
                 urls[dist_type].append(url["url"])

tests/repositories/test_pypi_repository.py

@@ -330,3 +330,25 @@ def test_use_pypi_pretty_name() -> None:
     package = repo.find_packages(Factory.create_dependency("twisted", "*"))
     package = repo.find_packages(Factory.create_dependency("twisted", "*"))
     assert len(package) == 1
     assert len(package) == 1
     assert package[0].pretty_name == "Twisted"
     assert package[0].pretty_name == "Twisted"
+
+
+def test_find_links_for_package_of_supported_types():
+    repo = MockRepository()
+    package = repo.find_packages(Factory.create_dependency("hbmqtt", "0.9.6"))
+
+    assert len(package) == 1
+
+    links = repo.find_links_for_package(package[0])
+
+    assert len(links) == 1
+    assert links[0].is_sdist
+    assert links[0].show_url == "hbmqtt-0.9.6.tar.gz"
+
+
+def test_get_release_info_includes_only_supported_types():
+    repo = MockRepository()
+
+    release_info = repo._get_release_info(name="hbmqtt", version="0.9.6")
+
+    assert len(release_info["files"]) == 1
+    assert release_info["files"][0]["file"] == "hbmqtt-0.9.6.tar.gz"