Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: update poetry to latest version #393

Merged
merged 1 commit into from
Feb 26, 2024
Merged

build: update poetry to latest version #393

merged 1 commit into from
Feb 26, 2024

Conversation

maxrake
Copy link
Contributor

@maxrake maxrake commented Feb 26, 2024

Poetry is the workflow management tool used for this project and forms the root of all other actions taken when working with this repository. It is also used to manage dependencies and therefore should be treated very carefully, with updates to newer versions taken deliberately.

This PR updates poetry to the latest version of v1.8.1 to account for the changes introduced in both v1.8.0 and v1.8.1, with these actions taken:

  • Bump all instances of poetry to the new version
    • Installs in workflows
    • pre-commit hook revision
    • Dockerfiles
  • Update the lockfile with the new version of poetry

None of the changes or new features in these new versions required any updates to the use of poetry in this project. Interestingly, a change to "Upgrade the warning about an inconsistent lockfile to an error" (#8737) still does not address the lockfile injection attack outlined in the "Bad Beat Poetry" blog post. Therefore, it is still recommended to check and refresh the lockfile every time before using it to install an environment:

poetry check --lock
poetry lock --no-update --no-cache
poetry install ...

A review of the latest poetry-core release
(v1.9.0) did not prove that an upgrade to that version in the phylum-ci project is needed at this time.

Poetry is the workflow management tool used for this project and forms
the root of all other actions taken when working with this repository.
It is also used to manage dependencies and therefore should be treated
very carefully, with updates to newer versions taken deliberately.

This PR updates `poetry` to the latest version of v1.8.1 to account for
the [changes introduced](https://python-poetry.org/history) in both
v1.8.0 and v1.8.1, with these actions taken:

* Bump all instances of `poetry` to the new version
  * Installs in workflows
  * pre-commit hook revision
  * Dockerfiles
* Update the lockfile with the new version of `poetry`

None of the changes or new features in these new versions required any
updates to the use of `poetry` in this project. Interestingly, a change
to "Upgrade the warning about an inconsistent lockfile to an error"
([#8737](python-poetry/poetry#8737)) still does
not address the lockfile injection attack outlined in the
["Bad Beat Poetry"](https://blog.phylum.io/bad-beat-poetry/) blog post.
Therefore, it is still recommended to check and refresh the lockfile
every time before using it to install an environment:

```
poetry check --lock
poetry lock --no-update --no-cache
poetry install ...
```

A review of the latest `poetry-core` release
([v1.9.0](https://github.com/python-poetry/poetry-core/releases/tag/1.9.0))
did not prove that an upgrade to that version in the `phylum-ci` project
is needed at this time.
@maxrake maxrake self-assigned this Feb 26, 2024
@maxrake maxrake requested a review from a team as a code owner February 26, 2024 19:25
Copy link

Phylum OSS Supply Chain Risk Analysis - SUCCESS

The Phylum risk analysis is complete and has passed the active policy.

View this project in the Phylum UI

@maxrake maxrake merged commit 09136bc into main Feb 26, 2024
13 checks passed
@maxrake maxrake deleted the update_poetry branch February 26, 2024 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants