pyodide skeleton pypi --update (or --update-patched) shouldn't attempt to update packages with custom URLs

[agriyakhetarpal]

Description

The recipe for the DuckDB package in Pyodide has a custom URL in its recipe, right now:

url: https://duckdb.github.io/duckdb-pyodide/wheels/duckdb-1.1.2-cp312-cp312-pyodide_2024_0_wasm32.whl

which points to a pre-built wheel hosted on a GitHub Pages website, which is not on PyPI for reasons of CI time.

Running pyodide skeleton pypi --update-patched (or the update equivalent) bumps it to the source distribution of DuckDB available on PyPI, which isn't useful since the package has a custom URL that should be better updated manually by the recipe maintainers from time to time.

Proposed implementation

Use a simple regular expression to check if the existing URL matches https://files.pythonhosted.org/packages/, and if it doesn't, the command should not attempt to update the URL and the checksum. A warning should be raised instead, just like the one that gets raised on attempting to update static/shared libraries – i.e., "Package X update skipped: it uses a custom URL!" or similar.

From @hoodmane below: a better way is to introduce a new YAML field (pin: true, which is false by default) and check for it. If it's set to true, any package with this will not be updated by any commands and the user will need to manually perform the update.

[hoodmane]

I'd say we should add a separate yaml field to pin it rather than a regex. There are reasons to pin python hosted packages too.

[agriyakhetarpal]

That could work, too, but we'll need to remember to instruct users to add that separate YAML field, wouldn't we?

[hoodmane]

Well if we forget then when it bothers you that it's auto updating you can git restore and then pin.

[agriyakhetarpal]

Makes sense, I'll edit the issue title/description!

[ryanking13]

Having a separate field sounds good to me.