Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`poetry lock --no-update` still updates dependencies

See original GitHub issue
  • I am on the latest Poetry version.
  • I have searched the issues of this repo and believe that this is not a duplicate.
  • If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

Issue

To recreate, you can run:

pip install requests==2.25.1
poetry lock --no-update

# Updating dependencies
# Resolving dependencies... (39.6s)

I would expect that after running the commands above, I should just see Resolving dependencies... and my lockfile would just have requests 2.25.1. However, what I actually see is that requests gets updated to 2.26.0.

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:8
  • Comments:13 (4 by maintainers)

github_iconTop GitHub Comments

3reactions
jeffvswansoncommented, Sep 9, 2021

I, too, have a use case where I have a pip installed virtual environment whose dependencies I don’t want updated when I run a poetry lock --no-update. It’s also misleading to me that poetry would update the dependencies for my lock file when I pass a --no-update flag.

It would be really useful to have a flag for the lock, install, or add commands to look in a currently existing virtual environment and pull out those packages as pinned dependencies rather than updating the dependencies. Something like --use-venv path/to/venv or the already existing --no-update.

Current behavior

I have a constraints specification in my requirements.txt, so I have to do a poetry run pip install -r requirements.txt to check and install against the constraints (Behavior poetry does not support, as far as I know. And I’m not going to add and pin each package individually, that’s what poetry is for.). Then, when I perform a poetry install or poetry add package to add a package not specified in the requirements.txt poetry updates my existing virtual environment dependencies while adding the package. So, poetry must know about the package installed with pip.

❯ poetry install
Updating dependencies
Resolving dependencies... (86.3s)

Writing lock file

Package operations: 45 installs, 22 updates, 0 removals

  • Updating six (1.15.0 -> 1.16.0)

Expected behavior

I have an existing virtual environment that did not start from a poetry install I pass the command:

❯ poetry install --no-update
Resolving dependencies... (72.4s)

Writing lock file

Package operations: 45 installs, 0 updates, 0 removals

  • Installing charset-normalizer (2.0.4)

And I keep my existing virtual environment while letting poetry figure out the dependency resolution within those constraints. That is, poetry treats existing packages as pinned to a specific version, so influxdb = 5.3.1, rather than updating them.

1reaction
bibzcommented, Aug 13, 2021

I believe this is a false positive as Poetry does not know about the package installed by pip.

  • pip install requests==2.25.1 will install requests in whatever Python environment is currently active. It will not interact with Poetry.
  • poetry lock --no-update will actually create the lockfile because you only specified the pyproject.toml.
    • In your case you specified “compatible with 2.25.1 and update-able” with the line `requests = “^2.25.1”.
    • Since the lockfile does not exist, Poetry will resolve the dependency graph and use the latest 2.y.z version of requests.

Replace pip install … with poetry add requests=2.25.1 and Poetry will pin the dependency to the version 2.25.1. (Note that subsequent poetry update will not update that package unless you relax the constraint. You can do so manually with poetry add requests@latest, or by editing pyproject.toml to add the caret character in front of the version: requests = "^2.25.1".)

Read more comments on GitHub >

github_iconTop Results From Across the Web

python - How to update Poetry's lock file without upgrading ...
There is a specific option for the lock command: poetry lock --no-update. This makes it possible to remove a dependency from pyproject.toml ...
Read more >
Commands | Documentation | Poetry - Python dependency ...
By default, this will lock all dependencies to the latest available compatible versions. To only refresh the lock file, use the --no-update option....
Read more >
How To Install Poetry to Manage Python Dependencies on ...
Poetry is a dependency manager for Python that is also capable of building and packaging your ... Run `poetry lock [--no-update]` to fix...
Read more >
Dependency Management With Python Poetry
The rp_poetry/ subfolder itself isn't very spectacular yet. ... poetry lock --no-update Resolving dependencies... (0.1s).
Read more >
Maintaining the Codebase - Ibis Project
Python library dependencies, WhiteSource Renovate ... Occasionally you may need to lock poetry dependencies, ... poetry lock --no-update ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

create_package_from_pep610 breaks without "requested_revision"

Next page

KeyAlreadyPresent error when adding atlassian-python-api