fix(local): honor ssl_verify=False for data-plane host scheme; allow dimension for sparse indexes#680
Conversation
…ow dimension for sparse indexes Two interrelated Pinecone Local issues: 1. When ssl_verify=False is set on the Pinecone client, IndexModel.__post_init__ still normalises bare hostnames returned by the control plane to https://. Pinecone Local serves plain HTTP only, so the subsequent TLS handshake fails with SSL_WRONG_VERSION_NUMBER even though the user explicitly opted out of TLS verification. Fix: _resolve_index_host (sync, async, and preview variants) now rewrites https:// to http:// on the resolved host whenever ssl_verify=False, matching the user's expressed intent. Explicit host= arguments are unaffected. 2. validate_create_inputs rejects dimension on sparse indexes with a PineconeValueError, but Pinecone Local requires dimension in the POST /indexes body even for sparse indexes and returns 422 if it is absent. Fix: remove the client-side prohibition so dimension is forwarded to the server when provided; cloud Pinecone continues to ignore the field for sparse indexes, and the server is the appropriate authority for what is valid per environment. Fixes pinecone-io#678 Fixes pinecone-io#679
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Want higher recall? High effort reviews run extra passes and find more bugs. A team admin can switch effort levels in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 811ea2a. Configure here.
| ) | ||
| self._host_cache[name] = desc.host | ||
| return desc.host | ||
| resolved = desc.host |
There was a problem hiding this comment.
Cached host skips ssl rewrite
Medium Severity
With ssl_verify=False, the https://→http:// rewrite runs only when _resolve_index_host misses the shared _host_cache and calls describe. On a cache hit it returns the stored host unchanged, so entries written by indexes.describe (always normalized to https://) still trigger TLS against plain-HTTP Pinecone Local.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 811ea2a. Configure here.
Problem
Two bugs make Pinecone Local unusable with the v9 Python SDK.
Issue #678 — data-plane host forced to https:// even with ssl_verify=False
IndexModel.__post_init__callsnormalize_host, which prependshttps://to any bare hostname returned by the control plane (Pinecone Local returns no scheme). Thessl_verify=Falseflag set onPinecone(...)is correctly forwarded to theIndexkwargs, but the host already carrieshttps://by the time the data-plane client is constructed — so an outbound TLS handshake is attempted against a server that serves plain HTTP only. The result isSSL_WRONG_VERSION_NUMBEReven though the user explicitly opted out of TLS.Issue #679 — cannot create a sparse index against Pinecone Local
validate_create_inputsraisesPineconeValueError: dimension must not be provided for sparse indexesbefore any request is sent. Omittingdimensioncauses Pinecone Local to return422 missing field 'dimension'because its/indexesendpoint requires the field regardless ofvector_type. The SDK and the server are in a deadlock with no path to success.Fix
For #678:
_resolve_index_host(sync in_client.py, async inasync_client/pinecone.py, and both sync/async paths inpreview/__init__.py) now rewriteshttps://tohttp://on the resolved host wheneverssl_verify=False. An explicithost=argument passed directly by the caller is returned unchanged. Production hosts — which always have a scheme already explicit in thehoststring — are unaffected because only the name-resolved path (bare hostname →IndexModel.__post_init__→normalize_host) produces an unwantedhttps://for local targets.For #679: The client-side prohibition on
dimensionfor sparse indexes is removed fromvalidate_create_inputs. The field remains optional and is forwarded to the server only when supplied, exactly as it is for dense indexes. Cloud Pinecone silently accepts and ignores an extradimensionon sparse indexes; Pinecone Local requires it. The server is the appropriate authority for per-environment validation.Tests
TestResolveIndexHostSslVerifyintest_client.py: three cases —ssl_verify=Falserewriteshttps://on the name-resolved host,ssl_verify=Truepreserveshttps://, and an explicithost=argument is never rewrittentest_create_sparse_with_dimension_allowedintest_indexes_create.py: replaces the oldtest_create_sparse_with_dimension_raisestest; verifies the request body contains bothvector_type=sparseanddimension=1Fixes #678
Fixes #679
Note
Low Risk
Targeted local-dev fixes with narrow conditions (ssl_verify off + describe-resolved https host; relaxed sparse dimension validation). Production paths with default ssl_verify and typical sparse creates are unchanged.
Overview
Fixes Pinecone Local compatibility in two areas.
When an index host is resolved by name (describe),
ssl_verify=Falsenow rewriteshttps://→http://before caching and connecting, so plain-HTTP local data planes are not forced into TLS. The same logic applies on sync/asyncPinecone,AsyncPinecone, and preview index host resolution. An explicithost=argument is never rewritten.Sparse index creation no longer rejects a client-supplied
dimensioninvalidate_create_inputs; optionaldimensionis still forwarded in the create body when provided, leaving environment-specific rules to the API (needed for Local, harmless for cloud).Reviewed by Cursor Bugbot for commit 811ea2a. Bugbot is set up for automated code reviews on this repo. Configure here.