-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sort extras and extras dependencies in lockfile #6169
Sort extras and extras dependencies in lockfile #6169
Conversation
@radoering, would you consider accepting a pull request to cherry pick this fix to Poetry 1.1? The issue it fixes is presently breaking Dependabot for all users (in addition to all of our CI pipelines). |
Not sure if that's enough for another 1.1 release. We will probably only do another 1.1 release if poetry breaks for the majority of users like the breaking warehouse change, which was the reason for 1.1.14. Is it really breaking Dependabot or is it just adding noise to the PRs? Actually, I think some shuffling in addition to the real change is annoying but not a blocker. |
I get what you are saying about Dependabot continuing to function. The extra pull request noise isn't a major concern in and of itself. There is presently no single correct lock file though as the output of |
@finswimmer Since #5834 proposes to do another 1.1 release: Do you think we should include this one as well if we really do another release? It seems like a quite riskless change and #6153 could be considered as an (externally triggered) regression. 🤷 |
+1 on backporting, if we are certain to do another 1.1 release, since this is pretty much harmless. I can prepare a backport PR just in case. |
there are zillions of bug fixes that could be backported, this one isn't special, just release 1.2 already! Then no-one will need the backport. |
This is the only Poetry 1.1 bug I'm aware of that knocks over many CI pipelines in a way where the path-of-least-resistance workaround is to disable (or not implement) an important security check (namely that |
Folk who remain on 1.1 are going to be out of support soon anyway, the question is whether this fix is important enough to divert maintainer bandwidth from the more important task of releasing 1.2. IMO it's not, releasing 1.2 should be the sole priority right now, anyone who could be making that happen and is instead doing other poetry work is doing it wrong. But if folk want to spend their time doing things that I consider less useful: well I'm not king of the world and can't stop them! |
Make the lockfile consistent with poetry 1.2.0rc1, see python-poetry/poetry#6169. Also get hashes of rasterio wheels that were removed in 05cab28/#29.
* ⬆️ Bump poetry from 1.2.0b3 to 1.2.0rc1 Bumps [poetry](https://github.com/python-poetry/poetry) from 1.2.0b3 to 1.2.0rc1. - [Release notes](https://github.com/python-poetry/poetry/releases) - [Changelog](https://github.com/python-poetry/poetry/blob/master/CHANGELOG.md) - [Commits](python-poetry/poetry@1.2.0b3...1.2.0rc1) * 🎨 Sort extras dependencies in poetry.lock file Make the lockfile consistent with poetry 1.2.0rc1, see python-poetry/poetry#6169. Also get hashes of rasterio wheels that were removed in 05cab28/#29.
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Pull Request Check List
Resolves: #6153
This PR sorts extras under
[package.extras]
in the lockfile, as well as their dependencies.Note:
poetry/src/poetry/packages/locker.py
Lines 591 to 592 in ed88e34
to_pep_508
once python-poetry/poetry-core#102 is merged, but doing so, even withwith_extras=False
, would add environment markers, which I'm not sure is the desired behaviour, so I preferred to leave that untouched.If it is the expected behaviour, I'd be happy to do the change in a follow-up PR.