cpm ignores transitive cpanfile url specs (dependency’s own cpanfile not consulted) #262
Description
Dear maintainers,
Hope you are doing fine!
I would like to draw your attention to the following problem summary:
If a direct dependency (A) is installed via top-level cpanfile (with requires 'A' , url => ... ) and A itself ships a cpanfile declaring another private dependency (B) using url => ..., cpm does not read A’s cpanfile.
When META.* of A lists B only as a normal prerequisite (name + version), but B is unindexed (tarball only), and A’s embedded cpanfile provides the url for B, resolution fails:
The main cpanfile
... on runtime => sub { requires 'A' => '1.0.0', url => "http://fqdn/A-1.0.0.tar.gz"; }; ...
The cpanfile of A
... on runtime => sub { requires 'B' => '1.0.0', url => "http://fqdn/B-1.0.0.tar.gz"; }; ...
The cpm command:
cpm install --local-lib-contained local --show-build-log-on-failure
...
2025-09-03T14:45:34,17629606,A| Found dependencies: B (v1.0.0)
2025-09-03T14:45:34,10551722,B| Custom, not found in cpanfile
2025-09-03T14:45:34,10551722,B| MetaCPAN, skip, because MetaCPAN is configured to resolve dev releases only
2025-09-03T14:45:34,10551722,B| MetaDB, 404 Not Found, https://cpanmetadb.plackperl.org/v1.0/package/B
2025-09-03T14:45:34,10551722,B| MetaCPAN, 404 Not Found, https://fastapi.metacpan.org/v1/download_url/B?version=v1.0.0
2025-09-03T14:45:34,10551722,B| Failed to resolve B
...
Is there a way to get transitive private dependencies via the "url" field as well?
Kind regards,
Jakov