Menu
After adding a [tool.poetry.extras] section to pyproject.toml, Poetry displays the following warning, for example on install:
Warning: The lock file is not up to date with the latest changes in pyproject.toml. You may be getting outdated dependencies. Run update to update them.
That's fine, but if I run poetry update it upgrades my dependencies, which is not what I want at this time. If I run poetry lock instead, it still upgrades dependencies.
Sorry for not providing a reproducible example, it's quite tricky to generate a poetry.lock file with outdated dependencies. My existing one is too large for posting here.
Update: Opened sdispater/poetry#1614 for this issue
546
As mentioned above, the poetry. lock file prevents you from automatically getting the latest versions of your dependencies. To update to the latest versions, use the update command. This will fetch the latest matching versions (according to your pyproject.
Updating poetry to the latest stable version is as simple as calling the self update command. If you want to install prerelease versions, you can use the --preview option. And finally, if you want to install a specific version you can pass it as an argument to self update .
poetry install : Installs the dependencies specified in pyproject. toml. The first time a project's dependencies are installed, a . lock file is created, which contains the actual version numbers of each package that was installed (i.e.: if Flask = "*" resulted in downloading Flask version 1.0.
According to the maintainers, Commit your poetry. lock file to version control. Committing this file to VC is important because it will cause anyone who sets up the project to use the exact same versions of the dependencies that you are using.
There is now an option since 1.1.2 (or earlier?):
poetry lock --no-update
This makes it possible to remove a dependency from pyproject.toml and update the lock file without upgrading dependencies.
Note that the behavior will be changed in v2.0.
186
There does not currently (as of version 1.0.0b6) seem to be any Poetry command which updates the lock file without also upgrading dependencies.
However, if your project has some up-to-date dependency foo, you can work around this limitation by invoking the following command:
poetry update foo
This will leave foo at the current version (because it is already at the latest version), and also won't touch any other dependencies. But it will synchronize the lock file with any changes to pyproject.toml.
In my own case, this command added the [extras] section to the lock file and updated the metadata content hash, without touching anything else. The lock file was now up-to-date and the warning disappeared.
Update:
A better workaround is to add and remove a package outside of the dependency tree, such as insecure-package:
poetry add insecure-package && poetry remove insecure-package
One reason why this is better is that with poetry update you need to pass exactly the same options that you originally used. More details on the GitHub issue mentioned in the question.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With