Dev dependency get locked as main dependency when constraint is a list

[ISO-morphism]

• I am on the latest Poetry version.
• I have searched the issues of this repo and believe that this is not a duplicate.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• OS version and name: Ubuntu 18.10
• Poetry version: 0.12.5
• Link of a Gist with the contents of your pyproject.toml file: https://gist.github.com/ISO-morphism/1ffe8786755057778b00b845d2d471fc

Issue

While perusing the Poetry source code I stumbled across this block that looked like it could cause a bug. When a member of dev-dependencies has multiple constraints expressed as a list (like this), poetry lock will lock it as a main dependency (like this).

When reading in a .pyproject.toml file, Poetry will internally add a Dependency to a Package that gets initialized from reading a pyproject.toml file.

Steps to reproduce

1. $ git clone https://github.com/sdispater/poetry.git
2. Add keyring = ["16.0.0", "16.0.0"] to [tool.poetry.dev-dependencies] in pyproject.toml
3. $ poetry lock
4. Search poetry.lock for keyring, see that category = "main"

or in one line:

git clone https://github.com/sdispater/poetry.git && \
cd poetry && \
mv pyproject.toml pyproject.toml.bak && \
sed -e '/\[tool.poetry.dev-dependencies\]/a\' -e 'keyring = ["16.0.0", "16.0.0"]' pyproject.toml.bak > pyproject.toml && \
poetry lock && \
grep -C3 'name = "keyring"' poetry.lock

produces for me:

$ git clone https://github.com/sdispater/poetry.git && \
> cd poetry && \
> mv pyproject.toml pyproject.toml.bak && \
> sed -e '/\[tool.poetry.dev-dependencies\]/a\' -e 'keyring = ["16.0.0", "16.0.0"]' pyproject.toml.bak > pyproject.toml && \
> poetry lock && \
> grep -C3 'name = "keyring"' poetry.lock
Cloning into 'poetry'...
remote: Enumerating objects: 73, done.
remote: Counting objects: 100% (73/73), done.
remote: Compressing objects: 100% (57/57), done.
remote: Total 7105 (delta 26), reused 39 (delta 14), pack-reused 7032
Receiving objects: 100% (7105/7105), 7.85 MiB | 1.22 MiB/s, done.
Resolving deltas: 100% (4703/4703), done.
Updating dependencies
Resolving dependencies... (1.4s)


Writing lock file

[[package]]
category = "main"
description = "Store and access your passwords safely."
name = "keyring"
optional = false
python-versions = ">=2.7"
version = "16.0.0"

This particular example also violates the !!!note found in the docs in that identical constraints do not cause an error.

[ISO-morphism]

I was mistaken on the Poetry version, this issue was found on the latest master but also exists for the 0.12.5 tag.

[ISO-morphism]

Also mistaken about violating docs, docs were talking about a single multiconstraint, this example is multiple exact constraints.

[jhrmnn]

It also happens with a git dependency with a specified commit.

[zyv]

Also got hit by this one, using git commit pinning.

[mm-matthias]

I also hit this issue today with git commits. Is this just a bug or something that's wrong by design?

[mm-matthias]

It seems the code here https://github.com/sdispater/poetry/blob/c497a5d836d72395bda8476edb24bacc698ea9b7/poetry/packages/package.py#L251 does not forward category to VCSDependency. Actually VCSDependency subclasses Dependency, but does not have a category parameter in init() as the other dependency classes have. Changing this is likely trivial, but I wonder:

• which consequences does changing this behaviour have for existing projects? Does poetry have some kind of backwards-compatibility policy here?
• is there a reason why VCSDependency does not have this parameter while the other dependency classes do have it?

@zyv fyi

[drunkwcodes]

@mm-matthias

1. Just do it if it's a bug.
2. No. What it missed is putting a **kwargs in __init__() and passing to super().__init__().

[nyanpasu64]

Oh I'm working on a "fix" locally... am I racing against anyone else?

@drunkwcodes are you a contributor or a user like me?

Do I add **kwargs to VCSDependency.__init__(), and not add category="main",?

[drunkwcodes]

@jimbo1qaz A user just had a glance at this.

And yes.

[nyanpasu64]

will my PR be reviewed and likely accepted? Should I ask questions in this issue, or create a PR and force-push to fix reviews there?

do I remove VCSDependency(optional=False) and rely on **kwargs for that argument as well?

[drunkwcodes]

@jimbo1qaz I will make a PR if you are not working on this.

No. I will just add it and don't remove anything.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[nyanpasu64]

is this still broken? i didn't check. Anyway I rebased #996 on develop, fixed merge conflicts, and force-pushed.

[AndrewPix]

@jimbo1qaz Yes, this is still happening with a git dependency with a specified commit

[nyanpasu64]

Fixed in #1725. This issue should be closed.

[finswimmer]

Thanks a lot for coming back and reporting it as closed 👍

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.