Nexus Repo Manager does not honor PEP440 version epochs correctly

Sonatype Nexus Repository
1

This is the relevant pep documentation

According to this, if we have a python package with a “number!semver” then the way version order should be handled is different than how it is currently handled by the nexus pypi hosted repo.

We need to figure out why nexus is not doing this correctly or if their implementation of PEP440 needs to be fixed via a bug.

2

Where is this causing an issue?

3

Hi Matthew,

We face this situation because we want to change the way we are versioning our pypi package in our internal repo and we want to use the epoch value to differentiate this change. So we want to start using 1! so that the previous versioning scheme is always older than versions published using this new scheme.

4

Sorry but this doesn’t describe where the problem occurs either.

Is this in Search? Browse? pip client?

5

Symptoms of issues:

Old Pkg versions


2023.11.1
2023.12.1

New Pkg versions


1!1.0.1
1!1.0.2

According to the PEP440 doc, when installing the package using pip install , the newer version 1! should be considered more recent than the prev version. But we still see the old version 2023.12.1 take precedence over 1!1.0.1 etc.

6

Again, I understand what you’re saying in respect to PEP but you’ve yet to provide specifics on where this problem occurs in Nexus.

7

Hmm, is it possible to get on a support call for me to be able to show you the symptom? I’m not sure how else I can explain this to you.

Old Pkg versions


2023.11.1
2023.12.1

New Pkg versions


1!1.0.1
1!1.0.2

Given the “Old” and “New (with epoch 1!)” version packages in my nexus pypi repo. As a user, when I try to do pip install , it does not install what should be considered latest version with the epoch. The expectation above is to install version 1!1.0.2 whereas the version being installed is 2023.12.1

[UPDATING This msg on April 24, 2024, since I’m only allowed 3 comments]
Hello, can we get some help on this? As I said, the issue is, when trying to do a pip install from a client machine pointing to a hosted pypi repo on nexus, the expectation is that versions with higher epoch tags should be picked as more recent (1!1.0.1 > 2023.11.1) but we are seeing that nexus still returns 2023.11.1 as the most recent package.