Poetry 1.2.0a2 - discrepancy in lockfile generation (compared to 1.1.x)

[orlevii]

• I am on the latest Poetry version.
• I have searched the issues of this repo and believe that this is not a duplicate.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• OS version and name: MacOS BigSur 11.4
• Poetry version: 1.2.0a2

Issue

For some reason poetry 1.2.0a2 is generating a different lockfile then 1.1.x:
Let's take for for example this pyproject.toml:

[tool.poetry]
name = "setuptools_bug"
version = "0.1.0"
description = ""
authors = ["Your Name <[email protected]>"]

[tool.poetry.dependencies]
python = "~3.7.1"
google-cloud-core = "^1.7.2"

[tool.poetry.dev-dependencies]

[build-system]
requires = ["poetry-core>=1.0.0"]
build-backend = "poetry.core.masonry.api"

When using poetry 1.1.x - the lockfile looks fine.
But when using poetry 1.2.0a2 - for some reason "setuptools" is added as a dependency.

Also, the content hash comes out different:

Added the 2 lockfiles here:
1.1.7:
https://gist.github.com/orlevii/b56528719277c54492b44515b2efa22c#file-1-1-7-lockfile

1.2.0a2:
https://gist.github.com/orlevii/b56528719277c54492b44515b2efa22c#file-1-2-0a2-lockfile

[orlevii]

I've looked deeply at the changes and I think this change is related:
https://github.com/python-poetry/poetry/pull/2826/files#diff-4b39a635ef4f2ecc56c75890e6c1c22ec80d3db3385974d7937b295cad7eded1R57

[martinxsliu]

Related: #4242

[apollo13]

Hi @orlevii, this is not a bug. google-api-core which your google-cloud-core depends on has a direct dependency on setuptools:

google-cloud-core 1.7.2 Google Cloud API client core library
├── google-api-core >=1.21.0,<2.0.0dev
│   ├── google-auth >=1.25.0,<2.0dev 
│   │   ├── cachetools >=2.0.0,<5.0 
│   │   ├── pyasn1-modules >=0.2.1 
│   │   │   └── pyasn1 >=0.4.6,<0.5.0 
│   │   ├── rsa >=3.1.4,<5 
│   │   │   └── pyasn1 >=0.1.3 (circular dependency aborted here)
│   │   ├── setuptools >=40.3.0 
│   │   └── six >=1.9.0 
│   ├── googleapis-common-protos >=1.6.0,<2.0dev 
│   │   └── protobuf >=3.12.0 
│   │       └── six >=1.9 (circular dependency aborted here)
│   ├── packaging >=14.3 
│   │   └── pyparsing >=2.0.2 
│   ├── protobuf >=3.12.0 (circular dependency aborted here)
│   ├── pytz * 
│   ├── requests >=2.18.0,<3.0.0dev 
│   │   ├── certifi >=2017.4.17 
│   │   ├── charset-normalizer >=2.0.0,<2.1.0 
│   │   ├── idna >=2.5,<4 
│   │   └── urllib3 >=1.21.1,<1.27 
│   ├── setuptools >=40.3.0 (circular dependency aborted here)
│   └── six >=1.13.0 (circular dependency aborted here)
├── google-auth >=1.24.0,<2.0dev
│   ├── cachetools >=2.0.0,<5.0 
│   ├── pyasn1-modules >=0.2.1 
│   │   └── pyasn1 >=0.4.6,<0.5.0 
│   ├── rsa >=3.1.4,<5 
│   │   └── pyasn1 >=0.1.3 (circular dependency aborted here)
│   ├── setuptools >=40.3.0 
│   └── six >=1.9.0 
└── six >=1.12.0

and
https://github.com/googleapis/python-api-core/blob/1db493cafff62e3a9f0b2d8ddf3071199db1af7e/setup.py#L36

As such it is expected to find setuptools in the lockfile. The actual bug was that 1.1 did not include it (you already linked the correct PR that fixed said bug). If you agree please close this ticket.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.