poetry lock adds duplicate hashes when using multiple constraint dependences

[intgr]

• I am on the latest Poetry version.
• I have searched the issues of this repo and believe that this is not a duplicate.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• OS version and name: macOS
• Poetry version: 1.2.0
• Link of a Gist with the contents of your pyproject.toml file: https://gist.github.com/intgr/efc96c44c3919189c3757275f0239eb6

Issue

With a dependency specification like

python-ldap = [
  { platform = "linux", version = "3.4.0" },
  { platform = "win32", url = "https://download.lfd.uci.edu/pythonlibs/archived/python_ldap-3.4.0-cp310-cp310-win_amd64.whl" },
]

Every time I run poetry lock --no-update, Poetry adds duplicated hashes for python-ldap to the poetry.lock file.

After the first lock command, the content ends with:

python-ldap = [
    {file = "python-ldap-3.4.0.tar.gz", hash = "sha256:60464c8fc25e71e0fd40449a24eae482dcd0fb7fcf823e7de627a6525b3e0d12"},
]

After the second run, it's:

python-ldap = [
    {file = "python-ldap-3.4.0.tar.gz", hash = "sha256:60464c8fc25e71e0fd40449a24eae482dcd0fb7fcf823e7de627a6525b3e0d12"},
    {file = "python-ldap-3.4.0.tar.gz", hash = "sha256:60464c8fc25e71e0fd40449a24eae482dcd0fb7fcf823e7de627a6525b3e0d12"},
]

Etc, every run adds yet another entry there.

The contents of the lockfile should be deterministic.

[dimbleby]

relevant code should be this loop if anyone is interested in figuring out a fix:

poetry/src/poetry/packages/locker.py

Lines 204 to 220 in a613347

	for package in package_specs:
	if package["name"] not in files:
	files[package["name"]] = []
	for f in package["files"]:
	file_metadata = inline_table()
	for k, v in sorted(f.items()):
	file_metadata[k] = v
	files[package["name"]].append(file_metadata)
	if files[package["name"]]:
	package_files = item(files[package["name"]])
	assert isinstance(package_files, Array)
	files[package["name"]] = package_files.multiline(True)
	del package["files"]

I imagine we're getting two similar package_specs and not doing anything to de-duplicate the things they have in common

[radoering]

All locked filenames/hashes are duplicated once for each direct origin dependency among the multiple constraints dependencies. This issue doesn't occur in poetry 1.1 because direct origin dependencies are always updated (even with --no-update flag). I created a PR to fix this regression.

[intgr]

Thanks! I can confirm that this is fixed in Poetry master branch.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.