Poetry version support

[ulgens]

Dependabot supports Poetry but it doesn't use given version in pyproject.toml file. When i use any version newer than 1.0.0a1, update check fails because of changed lock file syntax.

[tommilligan]

Would also be interested in this. Just upgraded to the newly released poetry v1 and getting the error:

updater | ERROR <job_17789943> Error processing tld (Dependabot::SharedHelpers::HelperSubprocessFailed)
updater | ERROR <job_17789943>                                   
updater | <job_17789943> [NonExistentKey]   
updater | <job_17789943> 'Key "hashes" does not exist.'  
updater | <job_17789943>                                   
updater | <job_17789943> update [--no-dev] [--dry-run] [--lock] [--] [<packages>]...
updater | <job_17789943> 

[sobolevn]

I am all in for this change!

Repo that has this problem: https://github.com/wemake-services/wemake-python-styleguide/blob/master/pyproject.toml

Poetry version is specified in the build file:

[build-system]
requires = ["poetry>=1.0"]
build-backend = "poetry.masonry.api"

But, it does not work. What website says:

Logs:

updater | ERROR <job_18040832> Error processing astboom (Dependabot::SharedHelpers::HelperSubprocessFailed)
updater | ERROR <job_18040832>                                   
updater | <job_18040832> [NonExistentKey]   
updater | <job_18040832> 'Key "hashes" does not exist.'  
updater | <job_18040832>                                   
updater | <job_18040832> update [--no-dev] [--dry-run] [--lock] [--] [<packages>]...
updater | <job_18040832> 
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker/poetry_version_resolver.rb:319:in `run_poetry_command'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker/poetry_version_resolver.rb:85:in `block (2 levels) in fetch_latest_resolvable_version_string'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:143:in `with_git_configured'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker/poetry_version_resolver.rb:73:in `block in fetch_latest_resolvable_version_string'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `block (2 levels) in in_a_temporary_directory'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `chdir'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `block in in_a_temporary_directory'
updater | ERROR <job_18040832> /usr/lib/ruby/2.6.0/tmpdir.rb:93:in `mktmpdir'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:34:in `in_a_temporary_directory'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker/poetry_version_resolver.rb:72:in `fetch_latest_resolvable_version_string'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker/poetry_version_resolver.rb:42:in `latest_resolvable_version'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-python-0.113.28/lib/dependabot/python/update_checker.rb:43:in `latest_resolvable_version'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/update_checkers/base.rb:70:in `preferred_resolvable_version'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/update_checkers/base.rb:233:in `preferred_version_resolvable_with_unlock?'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/update_checkers/base.rb:225:in `numeric_version_can_update?'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/update_checkers/base.rb:175:in `version_can_update?'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/update_checkers/base.rb:38:in `can_update?'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:208:in `requirements_to_unlock'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:159:in `check_and_create_pull_request'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:62:in `check_and_create_pr_with_error_handling'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:48:in `block in run'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:48:in `each'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:48:in `run'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/update_files_job.rb:16:in `perform_job'
updater | ERROR <job_18040832> /home/dependabot/dependabot-updater/lib/dependabot/base_job.rb:29:in `run'
updater | ERROR <job_18040832> bin/update_files.rb:21:in `<main>'

In case making a support for several versions is a hard thing, then I suggest to drop poetry@0.x support in favour of poetry@1.x support. Because update process is easy for developers.

[sobolevn]

At this point I have upgraded almost all my packages to poetry@1.0 and dependabot almost stoped working to me 😞

[m-aciek]

Related pull requests: #1571, #1623, #1624. Related issue on feedback repo: https://github.com/dependabot/feedback/issues/798.

[gabor-boros]

Any update on this?

[cjolowicz]

The automated pull request for Poetry 1.0.3 is here: #1667

[ulgens]

#1710

Does anyone have any idea why this test fails?

Tests are failing because dependabot can't parse new lock file format. Any Ruby developers to help with it? 🤕

[sobolevn]

dependendabot is not working for me for almost 4 month now. Sadly, but there's nothing I can do about it.

[tommilligan]

@ulgens I've submitted PR #1739, which fixes the failing tests you mentioned. The fix is only in the tests themselves, so hopefully should be a quick review.

[tetienne]

Issue is now solved.

[sobolevn]

Not fully. There are several issues:

1. I got a lot of spam like this: https://github.com/wemake-services/wemake-python-styleguide/issues?q=is%3Aissue+author%3Aapp%2Fdependabot-preview+is%3Aclosed
2. Every dependency update has merge conflicts. Because of the [metadata].content-hash field: https://github.com/wemake-services/wemake-python-styleguide/pull/1287/files#diff-41fe8bebc1a2a52eb5321b759e40b3a8R1627 Now all merge must be done like: merge first -> rebase second -> merge second. I guess it is a problem with poetry. Here's the upstream issue: Make the lock file more merge-friendly python-poetry/poetry#496

There's a workaround for the second problem: https://pypi.org/project/poetry-merge-lock/

[sobolevn]

Also dependabot cannot update my deps, here's what it says: wemake-services/wemake-python-styleguide#1286 (comment)

[donbowman]

Not fully. There are several issues:

1. I got a lot of spam like this: https://github.com/wemake-services/wemake-python-styleguide/issues?q=is%3Aissue+author%3Aapp%2Fdependabot-preview+is%3Aclosed
2. Every dependency update has merge conflicts. Because of the [metadata].content-hash field: https://github.com/wemake-services/wemake-python-styleguide/pull/1287/files#diff-41fe8bebc1a2a52eb5321b759e40b3a8R1627 Now all merge must be done like: merge first -> rebase second -> merge second. I guess it is a problem with poetry. Here's the upstream issue: python-poetry/poetry#496

There's a workaround for the second problem: https://pypi.org/project/poetry-merge-lock/

python-poetry/poetry#2654 is my PR to poetry to try and resolve this issue upstream. It seeks to make content-hash omitted, so no merge conflict.

[chbndrhnns]

https://pypi.org/project/poetry-merge-lock/ seems archived now.
Are other known workarounds to this issue?

[cjolowicz]

@chbndrhnns These days I use a small shell script with these commands:

git restore --worktree --staged poetry.lock
poetry lock --no-update
git add poetry.lock

See this comment for more details.

[deivid-rodriguez]

I agree with you, I was just sharing the only workaround on our side that I could think of at the moment that does not involve poetry itself recording the version/requirement somehow.

[xmnlab]

hi everyone! is this issue still a problem or was it already fixed?

[deivid-rodriguez]

Still a problem I think. There's been no movement here, so I don't expect this to have been fixed.

[xmnlab]

@deivid-rodriguez, thanks for the quick response!

[ulgens]

Yep, still a problem.

[d3QUone]

Hi team! Any updates here?

[deivid-rodriguez]

No news @d3QUone. I will post an update when there's something to share.

[tianhuil]

Any updates here?

[larsakerson]

Any updates here? Dependabot's commits aren't honoring the python patch version specified in pyproject.toml. They consistently replace it in poetry.lock with a tilde version specification, causing build failures.

[denys-marichev-sumup]

Any updates here? Dependabot's commits aren't honoring the python patch version specified in pyproject.toml. They consistently replace it in poetry.lock with a tilde version specification, causing build failures.

Same problem 🥲

In my pyproject.toml file:

[tool.poetry.dependencies]
python = "3.9.16"

And Dependabot is always trying to replace the line python-versions = "3.9.16" with python-versions = "~3.9" in poetry.lock file 😟

[jeffwidman]

☝️ sounds like a specific bug that isn't related to this general thread of "support multiple versions of poetry/poetry.lock"...

Can you spin that off as a specific issue? I can't guarantee that we'll get to it (in fact a PR would be most welcome!) but it should be a lot more tractable to say "retain specific python pin from pyproject.toml to poetry.lock than it is to say "run with my desired poetry version"... because we should be retaining specific python pins no matter whether we stick with a single poetry version or mutliple.

[cedric-spinergie]

Hello!
My team and I just stumbled upon this but in the opposite direction: we need to stay on poetry 1.5.1 while the one used by dependabot is 1.8.3.

Would a "quickfix" like specifying the poetry version inside the dependabot.yml be feasible? Or maybe some place else like in the pyproject.toml.

[saada]

Even when using 1.8.3, we started getting 1.8.5 changes. I'm assuming dependabot just bumped their version again

[ulgens]

It's been 5 years, and the same issue happens between 1.8.5 and 2.0.1 now. Therhas e been a major version update and the lock file has a new version now. Github tries to revert it with each Dependabot run.