Hi all,
one can request package metadata from pypi.org like this:
curl https://pypi.org/simple/psycopg/ -H "Accept: application/vnd.pypi.simple.v1+json" | jq .
which returns something like this
{
"meta": {
"_last-serial": 34419005,
"api-version": "1.4"
},
"alternate-locations": [],
"name": "psycopg",
"project-status": {
"status": "active"
},
"versions": [
"3.0b1",
...
],
"files": [
{
"core-metadata": {
"sha256": "37f03f995769dc6eea1b48eeeed2b7dd778755d35f445712f989e302c1d33811"
},
"data-dist-info-metadata": {
"sha256": "37f03f995769dc6eea1b48eeeed2b7dd778755d35f445712f989e302c1d33811"
},
"filename": "psycopg-3.0b1-py3-none-any.whl",
"hashes": {
"sha256": "fd510caaaa90aec11781c0581a8a03f847e35925db6de293404db87d625a44e8"
},
"provenance": null,
"requires-python": ">=3.6",
"size": 131830,
"upload-time": "2021-09-03T21:34:46.638478Z",
"url": "https://files.pythonhosted.org/packages/4f/09/82c50c58aa2916d0bb1f46e1c4523ab34dd0513623576d1eb2aff2107d43/psycopg-3.0b1-py3-none-any.whl",
"yanked": false
},
{
"core-metadata": false,
"data-dist-info-metadata": false,
"filename": "psycopg-3.0b1.tar.gz",
"hashes": {
"sha256": "90188a415f2132eabccfa58ae41330d3bfc1c5c410add4d6194e783521478189"
},
"provenance": null,
"requires-python": ">=3.6",
"size": 108312,
"upload-time": "2021-08-30T04:25:06.027667Z",
"url": "https://files.pythonhosted.org/packages/00/9a/6a9736d77056057ff9329d02499b6f3fd71d3fa0e6ef06e35331e5082254/psycopg-3.0b1.tar.gz",
"yanked": false
},
...
]
}
while ProGet Version 2025.23 (Build 11) currently returns something like this
{
"meta": {
"api-version": "1.1"
},
"name": "my-package",
"files": [
{
"filename": "my_package-1.2.3-py3-none-any.whl",
"url": "https://proget.my-company.com/pypi/my-pypi-feed/download/my-package/1.2.3/my_package-1.2.3-py3-none-any.whl",
"requires-python": ">=3.14",
"core-metadata": {
"sha256": "ea6628ba83f8e99d903c34a31a75b7029b2784bca386d4291c4596512d16455f"
},
"hashes": {
"md5": "e72e324c1ae5706266286d4153b61da0",
"sha1": "7afd9775dcb2e1ec15c2d765b1b099429dd836d5",
"sha256": "61ac54e62ddd357c2111097d34898f2249d2490a8d39f933febcb19da73d26e4",
"sha512": "d82c3e4b7a5d5a71a0dffade0ac636689c8d8a41b5cc0412d0cf2fec1ba7c4a9248af25613a92f3352c96cb033a1466ed38c30ca33306feba091f4b2c6348d3e"
}
},
...
]
}
Notably, the response from ProGet advertises PEP 700 conformance by specifying "meta.api-version": "1.1". But according to the specification there should be a versions key at the top level and a size key per file which is missing in the response from ProGet. The specification also mentions an optional upload-time key per file which is also missing here.
I think the versions key isn't as important, but I think that size and upload-time could be really useful.
Providing size would help tools like uv to make use of heuristics to speed up downloads which can be seen here where it sorts the wheels to be downloaded by size.
Given the current wave of supply chain attacks (trivy, litellm, axos, ...), the upload-time key would make it possible to use dependency cooldown features like these:
- https://pixi.prefix.dev/latest/reference/pixi_manifest/#exclude-newer-optional
- https://docs.astral.sh/uv/reference/settings/#exclude-newer
I don't mean to use dependency cooldowns for dependencies from my own ProGet instance but since I also mix in dependencies from pypi.org I urgently want to use dependency cooldowns for those dependencies from pypi.org but tools like uv and pixi will simply assume that there is no package version that satisfies the dependency cooldown period when the upload-time key is not preset. So even if upload-time is declared as optional according to PEP 700, I'd highly encourage adding it to the metadata response.
Changing the behavior of ProGet could break existing workflows, so one would have to be careful adding new keys to the response but I'd like to hear more about what users think about adding the size and upload-time keys in particular or if even going for full PEP 700 conformance would be desirable.
Cheers