Update dependency poetry to v2 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
poetry (changelog)	=1.1.14 → =2.3.4

---

Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

CVE-2026-41140 / GHSA-73h3-mf4w-8647

More information

Details

Summary

The extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4.

Impact

Arbitrary file write (path traversal) from untrusted sdist content.

In practice, the impact is low because an attacker who exploits this vulnerability can as well include arbitrary code in a setup.py, which will be executed when the sdist is built after tar extraction. In other words, a malicious sdist can write arbitrary files by design. However, since it is unexpected and not by design that the file write already happens during tar extraction, this is still considered a vulnerability.

On Python 3.11.2 (Debian Bookworm default, directly tested), a crafted sdist with ../../ tar member paths writes files outside the intended extraction directory. The traversal occurs during metadata resolution (poetry add --lock), before the build backend is run.

Affected Environments:

• Python 3.10.0 through 3.10.12 (inclusive): tarfile.data_filter absent or broken
• Python 3.11.0 through 3.11.4 (inclusive): tarfile.data_filter absent or broken
• Debian Bookworm: Python 3.11.2 (default)
• Ubuntu 22.04 LTS: Python 3.10.6 (default)

Patches

Versions 2.3.4 and newer of Poetry ensure that paths are inside the target directory.

Root Cause

File: src/poetry/utils/helpers.py, lines 410-426:

def extractall(source: Path, dest: Path, zip: bool) -> None:
    """Extract all members from either a zip or tar archive."""
    if zip:
        with zipfile.ZipFile(source) as archive:
            archive.extractall(dest)
    else:
        broken_tarfile_filter = {(3, 9, 17), (3, 10, 12), (3, 11, 4)}
        with tarfile.open(source) as archive:
            if (
                hasattr(tarfile, "data_filter")
                and sys.version_info[:3] not in broken_tarfile_filter
            ):
                archive.extractall(dest, filter="data")
            else:
                archive.extractall(dest)  # <-- NO FILTER: path traversal

On Python versions without a working tarfile.data_filter, the else branch at line 426 calls tarfile.extractall() without any filter or path validation. This enables three attack vectors:

1. Direct path traversal: Tar members with ../../ path components write files outside the extraction directory.
2. Symlink traversal: A symlink member pointing outside dest, followed by a file written through that symlink, escapes the boundary.
3. Hardlink attacks: Hardlink members can read arbitrary files (same inode) or overwrite targets outside dest.

Call Sites

This function is called from two locations:

1. src/poetry/installation/chef.py:104 (_prepare_sdist): During poetry install / poetry add when building a package from sdist. Only triggered when the executor is enabled (actual installation).

2. src/poetry/inspection/info.py:322 (_from_sdist_file): During dependency resolution (poetry lock / poetry add). This path is reached when the sdist's PKG-INFO lacks Requires-Dist metadata, forcing Poetry to extract the archive (and afterwards build the package).

Suggested Fix

Apply path validation in the else branch, covering direct traversal, symlinks, and hardlinks:

def extractall(source: Path, dest: Path, zip: bool) -> None:
    """Extract all members from either a zip or tar archive."""
    if zip:
        with zipfile.ZipFile(source) as archive:
            archive.extractall(dest)
    else:
        broken_tarfile_filter = {(3, 9, 17), (3, 10, 12), (3, 11, 4)}
        with tarfile.open(source) as archive:
            if (
                hasattr(tarfile, "data_filter")
                and sys.version_info[:3] not in broken_tarfile_filter
            ):
                archive.extractall(dest, filter="data")
            else:
                # Validate all member paths before extraction
                dest_resolved = dest.resolve()
                safe_members = []
                for member in archive.getmembers():
                    member_path = (dest_resolved / member.name).resolve()
                    if not member_path.is_relative_to(dest_resolved):
                        raise ValueError(
                            f"Refusing to extract {member.name}: "
                            f"would write outside {dest}"
                        )
                    if member.issym():
                        link_target = (member_path.parent / member.linkname).resolve()
                        if not link_target.is_relative_to(dest_resolved):
                            raise ValueError(
                                f"Refusing symlink {member.name}: "
                                f"target {member.linkname} outside {dest}"
                            )
                    elif member.islnk():
                        link_target = (dest_resolved / member.linkname).resolve()
                        if not link_target.is_relative_to(dest_resolved):
                            raise ValueError(
                                f"Refusing hardlink {member.name}: "
                                f"target {member.linkname} outside {dest}"
                            )
                    safe_members.append(member)
                archive.extractall(dest, members=safe_members)

Severity

• CVSS Score: 0.6 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/python-poetry/poetry/security/advisories/GHSA-73h3-mf4w-8647
• https://github.com/python-poetry/poetry/releases/tag/2.3.4
• https://nvd.nist.gov/vuln/detail/CVE-2026-41140
• https://github.com/advisories/GHSA-73h3-mf4w-8647

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

python-poetry/poetry (poetry)

v2.3.4

Compare Source

Fixed

• Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#​10821).
• Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#​10837).

v2.3.3

Compare Source

Fixed

• Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#​10792).
• Fix an issue where git dependencies from annotated tags could not be updated (#​10719).
• Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#​10784).
• Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#​10777).
• Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#​10748).
• Fix an issue where poetry publish --no-interaction --build requested user interaction (#​10769).
• Fix an issue where poetry init and poetry new created a deprecated project.license format (#​10787).

Docs

• Clarify the differences between poetry install and poetry update (#​10713).
• Clarify the section of fields in the pyproject.toml examples (#​10753).
• Add a note about the different installation location when Python from the Microsoft Store is used (#​10759).
• Fix the system requirements for Poetry (#​10739).
• Fix the poetry cache clear example (#​10749).
• Fix the link to pipx installation instructions (#​10783).

poetry-core (2.3.2)

• Fix an issue where platform_release could not be parsed on Debian Trixie (#​930).
• Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#​914).
• Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#​919).
• Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#​922).
• Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#​924).
• Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#​925).
• Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#​921).
• Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#​920).
• Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#​929).
• Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#​927).

v2.3.2

Compare Source

Changed

• Allow dulwich>=1.0 (#​10701).

poetry-core (2.3.1)

• Fix an issue where platform_release could not be parsed on Windows Server (#​911).

v2.3.1

Compare Source

Fixed

• Fix an issue where cached information about each package was always considered outdated (#​10699).

Docs

• Document SHELL_VERBOSITY environment variable (#​10678).

v2.3.0

Compare Source

Added

• Add support for exporting pylock.toml files with poetry-plugin-export (#​10677).
• Add support for specifying build constraints for dependencies (#​10388).
• Add support for publishing artifacts whose version is determined dynamically by the build-backend (#​10644).
• Add support for editable project plugins (#​10661).
• Check requires-poetry before any other validation (#​10593).
• Validate the content of project.readme when running poetry check (#​10604).
• Add the option to clear all caches by making the cache name in poetry cache clear optional (#​10627).
• Automatically update the cache for packages where the locked files differ from cached files (#​10657).
• Suggest to clear the cache if running a command with --no-cache solves an issue (#​10585).
• Propose poetry init when trying poetry new for an existing directory (#​10563).
• Add support for poetry publish --skip-existing for new Nexus OSS versions (#​10603).
• Show Poetry's own Python's path in poetry debug info (#​10588).

Changed

• Drop support for Python 3.9 (#​10634).
• Change the default of installer.re-resolve from true to false (#​10622).
• PEP 735 dependency groups are considered in the lock file hash (#​10621).
• Deprecate poetry.utils._compat.metadata, which is sometimes used in plugins, in favor of importlib.metadata (#​10634).
• Improve managing free-threaded Python versions with poetry python (#​10606).
• Prefer JSON API to HTML API in legacy repositories (#​10672).
• When running poetry init, only add the readme field in the pyproject.toml if the readme file exists (#​10679).
• Raise an error if no hash can be determined for any distribution link of a package (#​10673).
• Require dulwich>=0.25.0 (#​10674).

Fixed

• Fix an issue where poetry remove did not work for PEP 735 dependency groups with include-group items (#​10587).
• Fix an issue where poetry remove caused dangling include-group references in PEP 735 dependency groups (#​10590).
• Fix an issue where poetry add did not work for PEP 735 dependency groups with include-group items (#​10636).
• Fix an issue where PEP 735 dependency groups were not considered in the lock file hash (#​10621).
• Fix an issue where wrong markers were locked for a dependency that was required by several groups with different markers (#​10613).
• Fix an issue where non-deterministic markers were created in a method used by poetry-plugin-export (#​10667).
• Fix an issue where wrong wheels were chosen for installation in free-threaded Python environments if Poetry itself was not installed with free-threaded Python (#​10614).
• Fix an issue where poetry publish used the metadata of the project instead of the metadata of the build artifact (#​10624).
• Fix an issue where poetry env use just used another Python version instead of failing when the requested version was not supported by the project (#​10685).
• Fix an issue where poetry env activate returned the wrong command for dash (#​10696).
• Fix an issue where data-dir and python.installation-dir could not be set (#​10595).
• Fix an issue where Python and pip executables were not correctly detected on Windows (#​10645).
• Fix an issue where invalid template variables in virtualenvs.prompt caused an incomprehensible error message (#​10648).

Docs

• Add a warning about ~/.netrc for Poetry credential configuration (#​10630).
• Clarify that the local configuration takes precedence over the global configuration (#​10676).
• Add an explanation in which cases packages are automatically detected (#​10680).

poetry-core (2.3.0)

• Normalize versions (#​893).
• Fix an issue where unsatisfiable requirements did not raise an error (#​891).
• Fix an issue where the implicit main group did not exist if it was explicitly declared as not having any dependencies (#​892).
• Fix an issue where python_full_version markers with pre-release versions were parsed incorrectly (#​893).

v2.2.1

Compare Source

Fixed

• Fix an issue where poetry self show failed with a message about an invalid output format (#​10560).

Docs

• Remove outdated statements about dependency groups (#​10561).

poetry-core (2.2.1)

• Fix an issue where it was not possible to declare a PEP 735 dependency group as optional (#​888).

v2.2.0

Compare Source

Added

• Add support for nesting dependency groups (#​10166).
• Add support for PEP 735 dependency groups (#​10130).
• Add support for PEP 639 license clarity (#​10413).
• Add a --format option to poetry show to alternatively output json format (#​10487).
• Add official support for Python 3.14 (#​10514).

Changed

• Normalize dependency group names (#​10387).
• Change installer.no-binary and installer.only-binary so that explicit package names will take precedence over :all: (#​10278).
• Improve log output during poetry install when a wheel is built from source (#​10404).
• Improve error message in case a file lock could not be acquired while cloning a git repository (#​10535).
• Require dulwich>=0.24.0 (#​10492).
• Allow virtualenv>=20.33 again (#​10506).
• Allow findpython>=0.7 (#​10510).
• Allow importlib-metadata>=8.7 (#​10511).

Fixed

• Fix an issue where poetry new did not create the project structure in an existing empty directory (#​10431).
• Fix an issue where a dependency that was required for a specific Python version was not installed into an environment of a pre-release Python version (#​10516).

poetry-core (2.2.0)

• Deprecate table values and values that are not valid SPDX expressions for [project.license] (#​870).
• Fix an issue where explicitly included files that are in .gitignore were not included in the distribution (#​874).
• Fix an issue where marker operations could result in invalid markers (#​875).

v2.1.4

Compare Source

Changed

• Require virtualenv<20.33 to work around an issue where Poetry uses the wrong Python version (#​10491).
• Improve the error messages for the validation of the pyproject.toml file (#​10471).

Fixed

• Fix an issue where project plugins were installed even though poetry install was called with --no-plugins (#​10405).
• Fix an issue where dependency resolution failed for self-referential extras with duplicate dependencies (#​10488).

Docs

• Clarify how to include files that were automatically excluded via VCS ignore settings (#​10442).
• Clarify the behavior of poetry add if no version constraint is explicitly specified (#​10445).

v2.1.3

Compare Source

Changed

• Require importlib-metadata<8.7 for Python 3.9 because of a breaking change in importlib-metadata 8.7 (#​10374).

Fixed

• Fix an issue where re-locking failed for incomplete multiple-constraints dependencies with explicit sources (#​10324).
• Fix an issue where the --directory option did not work if a plugin, which accesses the poetry instance during its activation, was installed (#​10352).
• Fix an issue where poetry env activate -v printed additional information to stdout instead of stderr so that the output could not be used as designed (#​10353).
• Fix an issue where the original error was not printed if building a git dependency failed (#​10366).
• Fix an issue where wheels for the wrong platform were installed in rare cases. (#​10361).

poetry-core (2.1.3)

• Fix an issue where the union of specific inverse or partially inverse markers was not simplified (#​858).
• Fix an issue where optional dependencies defined in the project section were treated as non-optional when a source was defined for them in the tool.poetry section (#​857).
• Fix an issue where markers with === were not parsed correctly (#​860).
• Fix an issue where local versions with upper case letters caused an error (#​859).
• Fix an issue where extra markers with a value starting with "in" were not validated correctly (#​862).

v2.1.2

Compare Source

Changed

• Improve performance of locking dependencies (#​10275).

Fixed

• Fix an issue where markers were not locked correctly (#​10240).
• Fix an issue where the result of poetry lock was not deterministic (#​10276).
• Fix an issue where poetry env activate returned the wrong command for tcsh (#​10243).
• Fix an issue where poetry env activate returned the wrong command for pwsh on Linux (#​10256).

Docs

• Update basic usage section to reflect new default layout (#​10203).

poetry-core (2.1.2)

• Improve performance of marker operations (#​851).
• Fix an issue where incorrect markers were calculated when removing parts covered by the project's Python constraint (#​841,
  #​846).
• Fix an issue where extra markers were not simplified (#​842,
  #​845,
  #​847).
• Fix an issue where the intersection and union of markers was not deterministic (#​843).
• Fix an issue where the intersection of python_version markers was not recognized as empty (#​849).
• Fix an issue where python_version markers were not simplified (#​848,
  #​851).
• Fix an issue where Python constraints on a package were converted into invalid markers (#​853).

v2.1.1

Compare Source

Fixed

• Fix an issue where poetry env use python does not choose the Python from the PATH (#​10187).

poetry-core (2.1.1)

• Fix an issue where simplifying a python_version marker resulted in an invalid marker (#​838).

v2.1.0

Compare Source

Added

• Make build command build-system agnostic (#​10059,
  #​10092).
• Add a --config-settings option to poetry build (#​10059).
• Add support for defining config-settings when building dependencies (#​10129).
• Add (experimental) commands to manage Python installations (#​10112).
• Use findpython to find the Python interpreters (#​10097).
• Add a --no-truncate option to poetry show (#​9580).
• Re-add support for passwords with empty usernames (#​10088).
• Add better error messages (#​10053,
  #​10065,
  #​10126,
  #​10127,
  #​10132).

Changed

• poetry new defaults to "src" layout by default (#​10135).
• Improve performance of locking dependencies (#​10111,
  #​10114,
  #​10138,
  #​10146).
• Deprecate adding sources without specifying --priority (#​10134).

Fixed

• Fix an issue where global options were not handled correctly when positioned after command options (#​10021,
  #​10067,
  #​10128).
• Fix an issue where building a dependency from source failed because of a conflict between build-system dependencies that were not required for the target environment (#​10048).
• Fix an issue where poetry init was not able to find a package on PyPI while adding dependencies interactively (#​10055).
• Fix an issue where the @latest descriptor was incorrectly passed to the core requirement parser (#​10069).
• Fix an issue where Boolean environment variables set to True (in contrast to true) were interpreted as false (#​10080).
• Fix an issue where poetry env activate reported a misleading error message (#​10087).
• Fix an issue where adding an optional dependency with poetry add --optional would not correctly update the lock file (#​10076).
• Fix an issue where pip was not installed/updated before other dependencies resulting in a race condition (#​10102).
• Fix an issue where Poetry freezes when multiple threads attempt to unlock the keyring simultaneously (#​10062).
• Fix an issue where markers with extras were not locked correctly (#​10119).
• Fix an issue where self-referential extras were not resolved correctly (#​10106).
• Fix an issue where Poetry could not be run from a zipapp (#​10074).
• Fix an issue where installation failed with a permission error when using the system environment as a user without write access to system site packages (#​9014).
• Fix an issue where a version of a dependency that is not compatible with the project's python constraint was locked. (#​10141).
• Fix an issue where Poetry wrongly reported that the current project's supported Python range is not compatible with some of the required packages Python requirement (#​10157).
• Fix an issue where the requested extras of a dependency were ignored if the same dependency (with same extras) was specified in multiple groups (#​10158).

Docs

• Sort commands by name in the CLI reference (#​10035).
• Add missing documentation for env commands (#​10027).
• Clarify that the name and version fields are always required if the project section is specified (#​10033).
• Add a note about restarting the shell for tab completion changes to take effect (#​10070).
• Fix the example for project.gui-scripts #​10121.
• Explain how to include files as scripts in the project configuration (#​9572,
  #​10133).
• Add additional information on specifying required python versions (#​10104).

poetry-core (2.1.0)

• Fix an issue where inclusive ordering with post releases was inconsistent with PEP 440 (#​379).
• Fix an issue where invalid URI tokens in PEP 508 requirement strings were silently discarded (#​817).
• Fix an issue where wrong markers were calculated when removing parts covered by the project's python constraint (#​824).
• Fix an issue where optional dependencies that are not part of an extra were included in the wheel metadata (#​830).
• Fix an issue where the __pycache__ directory and *.pyc files were included in sdists and wheels (#​835).

v2.0.1

Compare Source

Added

• Add support for poetry search in legacy sources (#​9949).
• Add a message in the poetry source show output when PyPI is implicitly enabled (#​9974).

Changed

• Improve performance for merging markers from overrides at the end of dependency resolution (#​10018).

Fixed

• Fix an issue where poetry sync did not remove packages that were not requested (#​9946).
• Fix an issue where poetry check failed even though there were just warnings and add a --strict option to fail on warnings (#​9983).
• Fix an issue where poetry update, poetry add and poetry remove with --only uninstalled packages from other groups (#​10014).
• Fix an issue where poetry update, poetry add and poetry remove uninstalled all extra packages (#​10016).
• Fix an issue where poetry self update did not recognize Poetry's own environment (#​9995).
• Fix an issue where read-only system site-packages were not considered when loading an environment with system site-packages (#​9942).
• Fix an issue where an error message in poetry install started with Warning: instead of Error: (#​9945).
• Fix an issue where Command.set_poetry, which is used by plugins, was removed (#​9981).
• Fix an issue where the help text of poetry build --clean showed a malformed short option instead of the description (#​9994).

Docs

• Add a FAQ entry for the migration from Poetry-specific fields to the project section (#​9996).
• Fix examples for project.readme and project.urls (#​9948).
• Add a warning that package sources are a Poetry-specific feature that is not included in core metadata (#​9935).
• Replace poetry install --sync with poetry sync in the section about synchronizing dependencies (#​9944).
• Replace poetry shell with poetry env activate in the basic usage section (#​9963).
• Mention that project.name is always required when the project section is used (#​9989).
• Fix the constraint of poetry-plugin-export in the section about poetry export (#​9954).

poetry-core (2.0.1)

• Replace the deprecated core metadata field Home-page with Project-URL: Homepage (#​807).
• Fix an issue where includes from tool.poetry.packages without a specified format were not initialized with the default value resulting in a KeyError (#​805).
• Fix an issue where some project.urls entries were not processed correctly resulting in a KeyError (#​807).
• Fix an issue where dynamic project.dependencies via tool.poetry.dependencies were ignored if project.optional-dependencies were defined (#​811).

v2.0.0

Compare Source

Added

• Add support for the project section in the pyproject.toml file according to PEP 621 (#​9135,
  #​9917).
• Add support for defining Poetry plugins that are required by the project and automatically installed if not present (#​9547).
• Lock resulting markers and groups and add a installer.re-resolve option (default: true) to allow installation without re-resolving (#​9427).
• Add a --local-version option to poetry build (#​9064).
• Add a --clean option to poetry build (#​9067).
• Add FIPS support for poetry publish (#​9101).
• Add the option to use poetry new interactively and configure more fields (#​9101).
• Add a config option installer.only-binary to enforce the use of binary distribution formats (#​9150).
• Add backend support for legacy repository search (#​9132).
• Add support to resume downloads from connection resets (#​9422).
• Add the option to define a constraint for the required Poetry version to manage the project (#​9547).
• Add an --all-groups option to poetry install (#​9744).
• Add an poetry env activate command as replacement of poetry shell (#​9763).
• Add a --markers option to poetry add to add a dependency with markers (#​9814).
• Add a --migrate option to poetry config to migrate outdated configs (#​9830).
• Add a --project option to search the pyproject.toml file in another directory without switching the directory (#​9831).
• Add support for shortened hashes to define git dependencies (#​9748).
• Add partial support for conflicting extras (#​9553).
• Add a poetry sync command as replacement of poetry install --sync (#​9801).

Changed

• Change the default behavior of poetry lock to --no-update and introduce a --regenerate option for the old default behavior (#​9327).
• Remove the dependency on poetry-plugin-export so that poetry export is not included per default (#​5980).
• Outsource poetry shell into poetry-plugin-shell (#​9763).
• Change the interface of poetry add --optional to require an extra the optional dependency is added to (#​9135).
• Actually switch the directory when using --directory/-C (#​9831).
• Drop support for Python 3.8 (#​9692).
• Rename experimental.system-git-client to experimental.system-git (#​9787, #​9795).
• Replace virtualenvs.prefer-active-python by the inverse setting virtualenvs.use-poetry-python and prefer the active Python by default (#​9786).
• Deprecate several fields in the tool.poetry section in favor of the respective fields in the project section in the pyproject.toml file (#​9135).
• Deprecate poetry install --sync in favor of poetry sync (#​9801).
• Upgrade the warning if the current project cannot be installed to an error (#​9333).
• Remove special handling for platformdirs 2.0 macOS config directory (#​8916).
• Tweak PEP 517 builds (#​9094).
• Use Poetry instead of pip to manage dependencies in isolated build environments (#​9168,
  #​9227).
• Trust empty Requires-Dist with modern metadata (#​9078).
• Do PEP 517 builds instead of parsing setup.py to determine dependencies (#​9099).
• Drop support for reading lock files prior version 1.0 (created with Poetry prior 1.1) (#​9345).
• Default to >= instead of ^ for the Python requirement when initializing a new project (#​9558).
• Limit build-system to the current major version of poetry-core when initializing a new project (#​9812).
• Remove pip-based installation, i.e. installer.modern-installation = false (#​9392).
• Remove virtualenvs.options.no-setuptools config option and never include setuptools per default (#​9331).
• Rename exceptions to have an Error suffix (#​9705).
• Remove deprecated CLI options and methods and revoke the deprecation of --dev (#​9732).
• Ignore installed packages during dependency resolution (#​9851).
• Improve the error message on upload failure (#​9701).
• Improve the error message if the current project cannot be installed to include another root cause (#​9651).
• Improve the output of poetry show <package> (#​9750).
• Improve the error message for build errors (#​9870).
• Improve the error message when trying to remove a package from a project without any dependencies (#​9918).
• Drop the direct dependency on crashtest (#​9108).
• Require keyring>=23.3.1 (#​9167).
• Require build>=1.2.1 (#​9283).
• Require dulwich>=0.22.6 (#​9748).

Fixed

• Fix an issue where git dependencies with extras could only be cloned if a branch was specified explicitly (#​7028).
• Fix an issue where poetry env remove failed if virtualenvs.in-project was set to true (#​9118).
• Fix an issue where locking packages with a digit at the end of the name and non-standard sdist names failed (#​9189).
• Fix an issue where credentials where not passed when trying to download an URL dependency (#​9202).
• Fix an issue where using uncommon group names with poetry add resulted in a broken pyproject.toml (#​9277).
• Fix an issue where an inconsistent entry regarding the patch version of Python was kept in envs.toml (#​9286).
• Fix an issue where relative paths were not resolved properly when using poetry build --directory (#​9433).
• Fix an issue where unrequested extras were not uninstalled when running poetry install without an existing lock file (#​9345).
• Fix an issue where the poetry-check pre-commit hook did not trigger if only poetry.lock has changed (#​9504).
• Fix an issue where files (rather than directories) could not be added as single page source (#​9166).
• Fix an issue where invalid constraints were generated when adding a package with a local version specifier (#​9603).
• Fix several encoding warnings (#​8893).
• Fix an issue where virtualenvs.prefer-active-python was not respected (#​9278).
• Fix an issue where the line endings of the lock file were changed (#​9468).
• Fix an issue where installing multiple dependencies from the same git repository failed sporadically due to a race condition (#​9658).
• Fix an issue where installing multiple dependencies from forked monorepos failed sporadically due to a race condition (#​9723).
• Fix an issue where an extra package was not installed if it is required by multiple extras (#​9700).
• Fix an issue where a direct_url.json with vcs URLs not compliant with PEP 610 was written (#​9007).
• Fix an issue where other files than wheels were recognized as wheels (#​9770).
• Fix an issue where installer.max-workers was ignored for the implicit PyPI source (#​9815).
• Fix an issue where local settings (from poetry.toml) were ignored for the implicit PyPI source (#​9816).
• Fix an issue where different dulwich versions resulted in different hashes for a git dependency from a tag (#​9849).
• Fix an issue where installing a yanked package with no dependencies failed with an IndexError (#​9505).
• Fix an issue where a package could not be added from a source that required an empty password (#​9850).
• Fix an issue where setting allow-prereleases = false still allowed pre-releases if no other solution was found (#​9798).
• Fix an issue where the wrong environment was used for checking if an installed package is from system site packages (#​9861).
• Fix an issue where build errors from builds to retrieve metadata information were hidden (#​9870).
• Fix an issue where poetry check falsely reported that an invalid source "pypi" is referenced in dependencies ([#​9475](https://redirect.github.com/python-poetry/poet

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock

Updating dependencies
Resolving dependencies...


The current project's Python requirement (>=3.7.0,<3.12.0) is not compatible with some of the required packages Python requirement:
  - poetry requires Python <4.0,>=3.10, so it will not be satisfied for Python >=3.7.0,<3.10

Because django-model-subscription depends on poetry (2.3.4) which requires Python <4.0,>=3.10, version solving failed.

  • Check your dependencies Python requirement: The Python requirement can be specified via the `python` or `markers` properties
    
    For poetry, a possible solution would be to set the `python` property to ">=3.10,<3.12.0"

    https://python-poetry.org/docs/dependency-specification/#python-restricted-dependencies,
    https://python-poetry.org/docs/dependency-specification/#using-environment-markers