Poetry version support

[ulgens]

Dependabot supports Poetry but it doesn't use given version in pyproject.toml file. When i use any version newer than 1.0.0a1, update check fails because of changed lock file syntax.

[tommilligan]

Would also be interested in this. Just upgraded to the newly released poetry v1 and getting the error:

updater | ERROR <job_17789943> Error processing tld (Dependabot::SharedHelpers::HelperSubprocessFailed)
updater | ERROR <job_17789943>                                   
updater | <job_17789943> [NonExistentKey]   
updater | <job_17789943> 'Key "hashes" does not exist.'  
updater | <job_17789943>                                   
updater | <job_17789943> update [--no-dev] [--dry-run] [--lock] [--] [<packages>]...
updater | <job_17789943> 

[sobolevn]

I am all in for this change!

Repo that has this problem: https://github.com/wemake-services/wemake-python-styleguide/blob/master/pyproject.toml

Poetry version is specified in the build file:

[build-system]
requires = ["poetry>=1.0"]
build-backend = "poetry.masonry.api"

But, it does not work. What website says:

Logs:

updater | ERROR <job_18040832> Error processing astboom (Dependabot::SharedHelpers::HelperSubprocessFailed)
updater | ERROR <job_18040832>                                   
updater | <job_18040832> [NonExistentKey]   
updater | <job_18040832> 'Key "hashes" does not exist.'  
updater | <job_18040832>                                   
updater | <job_18040832> update [--no-dev] [--dry-run] [--lock] [--] [<packages>]...
updater | <job_18040832> 
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker/poetry_version_resolver.rb:319:in `run_poetry_command'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker/poetry_version_resolver.rb:85:in `block (2 levels) in fetch_latest_resolvable_version_string'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:143:in `with_git_configured'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker/poetry_version_resolver.rb:73:in `block in fetch_latest_resolvable_version_string'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `block (2 levels) in in_a_temporary_directory'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `chdir'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `block in in_a_temporary_directory'
updater | ERROR <job_18040832> /usr/lib/ruby/2.6.0/tmpdir.rb:93:in `mktmpdir'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:34:in `in_a_temporary_directory'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker/poetry_version_resolver.rb:72:in `fetch_latest_resolvable_version_string'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker/poetry_version_resolver.rb:42:in `latest_resolvable_version'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker.rb:43:in `latest_resolvable_version'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/update_checkers/base.rb:70:in `preferred_resolvable_version'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/update_checkers/base.rb:233:in `preferred_version_resolvable_with_unlock?'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/update_checkers/base.rb:225:in `numeric_version_can_update?'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/update_checkers/base.rb:175:in `version_can_update?'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/update_checkers/base.rb:38:in `can_update?'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:208:in `requirements_to_unlock'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:159:in `check_and_create_pull_request'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:62:in `check_and_create_pr_with_error_handling'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:48:in `block in run'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:48:in `each'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:48:in `run'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/update_files_job.rb:16:in `perform_job'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/base_job.rb:29:in `run'
updater | ERROR <job_18040832> bin/update_files.rb:21:in `<main>'

In case making a support for several versions is a hard thing, then I suggest to drop poetry@0.x support in favour of poetry@1.x support. Because update process is easy for developers.

[sobolevn]

At this point I have upgraded almost all my packages to poetry@1.0 and dependabot almost stoped working to me 😞

[m-aciek]

Related pull requests: #1571, #1623, #1624. Related issue on feedback repo: https://github.com/dependabot/feedback/issues/798.

[gabor-boros]

Any update on this?

[cjolowicz]

The automated pull request for Poetry 1.0.3 is here: #1667

[ulgens]

#1710

Does anyone have any idea why this test fails?

Tests are failing because dependabot can't parse new lock file format. Any Ruby developers to help with it? 🤕

[sobolevn]

dependendabot is not working for me for almost 4 month now. Sadly, but there's nothing I can do about it.

[tommilligan]

@ulgens I've submitted PR #1739, which fixes the failing tests you mentioned. The fix is only in the tests themselves, so hopefully should be a quick review.

[tetienne]

Issue is now solved.

[sobolevn]

Not fully. There are several issues:

1. I got a lot of spam like this: https://github.com/wemake-services/wemake-python-styleguide/issues?q=is%3Aissue+author%3Aapp%2Fdependabot-preview+is%3Aclosed
2. Every dependency update has merge conflicts. Because of the [metadata].content-hash field: https://github.com/wemake-services/wemake-python-styleguide/pull/1287/files#diff-41fe8bebc1a2a52eb5321b759e40b3a8R1627 Now all merge must be done like: merge first -> rebase second -> merge second. I guess it is a problem with poetry. Here's the upstream issue: Make the lock file more merge-friendly python-poetry/poetry#496

There's a workaround for the second problem: https://pypi.org/project/poetry-merge-lock/

[sobolevn]

Also dependabot cannot update my deps, here's what it says: wemake-services/wemake-python-styleguide#1286 (comment)

[donbowman]

Not fully. There are several issues:

1. I got a lot of spam like this: https://github.com/wemake-services/wemake-python-styleguide/issues?q=is%3Aissue+author%3Aapp%2Fdependabot-preview+is%3Aclosed
2. Every dependency update has merge conflicts. Because of the [metadata].content-hash field: https://github.com/wemake-services/wemake-python-styleguide/pull/1287/files#diff-41fe8bebc1a2a52eb5321b759e40b3a8R1627 Now all merge must be done like: merge first -> rebase second -> merge second. I guess it is a problem with poetry. Here's the upstream issue: python-poetry/poetry#496

There's a workaround for the second problem: https://pypi.org/project/poetry-merge-lock/

python-poetry/poetry#2654 is my PR to poetry to try and resolve this issue upstream. It seeks to make content-hash omitted, so no merge conflict.

[chbndrhnns]

https://pypi.org/project/poetry-merge-lock/ seems archived now.
Are other known workarounds to this issue?

[cjolowicz]

@chbndrhnns These days I use a small shell script with these commands:

git restore --worktree --staged poetry.lock
poetry lock --no-update
git add poetry.lock

See this comment for more details.

[jeffwidman]

Thanks for the feedback, it's Thanksgiving holiday here so I don't have time to look at this in detail as about to head to family gathering, but re-opening so we don't lose track of this.

[edgarrmondragon]

Bump for this. Poetry 1.3 has a new lock poetry.lock format, so dependabot is rewriting the file with the old format 😕

[phillipuniverse]

@edgarrmondragon the Poetry 1.3 update in dependabot is at:

• Update poetry requirement from <1.3.0,>=1.1.15 to >=1.1.15,<1.4.0 in /python/helpers #6302

[deivid-rodriguez]

I agree we should do something about this, but it's tricky.

As per python-poetry/poetry#3316, the poetry-core version information in the [build-system] table in pyproject.toml is currently ignored by Poetry, so that does not seem the way to go.

There's a lock-version field in the [metadata] table, which tells us the format of the lockfile that we should generate, but that's not enough to figure out which version of poetry we should use to generate that format. So the only idea I can think of is the we keep this mapping ourselves, which I guess would work but feels not great.

[jeffwidman]

I'm pretty hesitant to get into the business of storing state ourselves on this. Much prefer we wait for poetry itself to add support for specifying the minimum working version... Looking at the discussion in python-poetry/poetry#3316, it seems the poetry maintainers are open to the idea, just no one has worked on it yet.

[deivid-rodriguez]

I agree with you, I was just sharing the only workaround on our side that I could think of at the moment that does not involve poetry itself recording the version/requirement somehow.

[xmnlab]

hi everyone! is this issue still a problem or was it already fixed?

[deivid-rodriguez]

Still a problem I think. There's been no movement here, so I don't expect this to have been fixed.

[xmnlab]

@deivid-rodriguez, thanks for the quick response!

[ulgens]

Yep, still a problem.

[d3QUone]

Hi team! Any updates here?

[deivid-rodriguez]

No news @d3QUone. I will post an update when there's something to share.

[tianhuil]

Any updates here?

[larsakerson]

Any updates here? Dependabot's commits aren't honoring the python patch version specified in pyproject.toml. They consistently replace it in poetry.lock with a tilde version specification, causing build failures.

[denys-marichev-sumup]

Any updates here? Dependabot's commits aren't honoring the python patch version specified in pyproject.toml. They consistently replace it in poetry.lock with a tilde version specification, causing build failures.

Same problem 🥲

In my pyproject.toml file:

[tool.poetry.dependencies]
python = "3.9.16"

And Dependabot is always trying to replace the line python-versions = "3.9.16" with python-versions = "~3.9" in poetry.lock file 😟

[jeffwidman]

☝️ sounds like a specific bug that isn't related to this general thread of "support multiple versions of poetry/poetry.lock"...

Can you spin that off as a specific issue? I can't guarantee that we'll get to it (in fact a PR would be most welcome!) but it should be a lot more tractable to say "retain specific python pin from pyproject.toml to poetry.lock than it is to say "run with my desired poetry version"... because we should be retaining specific python pins no matter whether we stick with a single poetry version or mutliple.