Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

poetry build ignores locked versions

See original GitHub issue

I have searched the issues of this repo and believe that this is not a duplicate.
I have searched the documentation and believe that my question is not covered.

Feature Request ?

When running poetry build the wheel metadata seems to be generated based on the pyproject.toml instead of the lock file. Is this intentional? Maybe I am missing something but I thought calling poetry build will create a wheel that will install the exact same dependencies from the lock file.

here’s what the dependencies look like:

[tool.poetry.dependencies]
python = "^3.6"
flask = "^1.0"
requests = "^2.21"
redis = "^3.2"
lxml = "^4.3"
pillow = "^6.0"

And here is the relevant part of the METADATA file from the generated wheel. I expected these to be == exact versions.

Requires-Dist: flask (>=1.0,<2.0)
Requires-Dist: lxml (>=4.3,<5.0)
Requires-Dist: pillow (>=6.0,<7.0)
Requires-Dist: redis (>=3.2,<4.0)
Requires-Dist: requests (>=2.21,<3.0)

Issue Analytics

State:
Created 4 years ago
Comments:11 (1 by maintainers)

Top GitHub Comments

43reactions

Tobotimuscommented, Aug 15, 2020

Applications are not distributed via wheels.

Sorry to be necromancing this issue a year later, but this is simply not the case. If wheels weren’t intended for distributing apps, console-script entry points wouldn’t exist (or at least, would not be so ubiquitous). You might personally prefer to distribute your application as a Docker image rather than a wheel, but not everyone can or should conform to that opinion. A wheel is a perfectly valid distribution for hundreds of applications on PyPI - often it simply involves the user making a virtualenv, running pip install application, and running it with a command. Users in the community of a project I maintained (Red-DiscordBot) have been happily doing this for years. This could even make building application Docker images easier (poetry no longer being a pre-requirement for installing your app as a distribution).

In this use case, it is more suitable for the application’s wheel to have all its primary and transitive dependencies pinned to known working versions. An amazing feature for Poetry which would allow its swift adoption as a dependency management tool for applications would be:

poetry build --format=wheel --dependencies=locked

Perhaps it should also/instead be a key in the [tool.poetry] table so the same behaviour is observed whether the project be installed from an sdist, wheel, VCS etc. I know this would be super useful for a number of projects I’ve been involved with, both in OSS and at work.

4reactions

danmurcommented, Sep 29, 2020

Having the option would be really good.