Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

poetry build does not include locked transitive dependencies in METADATA/PKG-INFO #2331

Closed
2 tasks done
BrandonLWhite opened this issue Apr 20, 2020 · 2 comments
Closed
2 tasks done

poetry build does not include locked transitive dependencies in METADATA/PKG-INFO #2331

BrandonLWhite opened this issue Apr 20, 2020 · 2 comments
Labels
kind/feature Feature requests/implementations

Comments

@BrandonLWhite
Copy link

BrandonLWhite commented Apr 20, 2020
edited
Loading

  • I am on the latest Poetry version.
  • I have searched the issues of this repo and believe that this is not a duplicate.
  • [N/A] If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).
  • OS version and name: Ubuntu 18.04.4
  • Poetry version: 1.1.0a1

Issue

When generating a pip-installable package using poetry build, the resulting packages's metadata does not include all of the locked dependencies. Therefore, subsequent installation of the published package will not adhere to the pinned versions in the poetry.lock file.

Examining the Poetry source code, it seems that only the top-level dependencies from pyproject.toml are conveyed in the Requires-Dist: of the wheel METADATA and sdist PKG-INFO. This is probably desirable for library packages that are not standalone applications.

However, the use case I am currently dealing with involves command-line interface (CLI) tools meant to be installed using pipx (which isolates and runs in dedicated virtualenv). We are also using a private PyPI repository (JFrog/Artifactory) though that is irrelevant to the issue. The pip-tools pip-compile serves well in this regard -- the frozen requirements.txt feeds the setup.py sdist bdist_wheel operation and the locked/frozen/pinned dependency flattened tree lands in the METADATA/PKG-INFO. So users simply run pipx install foo-cli and get the exact package versions.

We're auditioning Poetry for our various workflows and this is blocking us from adopting Poetry for use with many of our applications where we need to publish the frozen requirements in the package meta.

In my opinion, Poetry's default behavior when building should be to use the lockfile's dependencies when generating the distribution. If a lock didn't the fallback would be to use pyproject.toml's deps (the current behavior). There could also be a --no-lock type option to control this behavior for the case where you want to publish libraries for reuse. The defaults could also be flipped around, where the current --no-lock remains the default and publishing the locked tree requires adding --lock.
@BrandonLWhite BrandonLWhite added kind/bug Something isn't working as expected status/triage This issue needs to be triaged labels Apr 20, 2020
@finswimmer finswimmer added kind/feature Feature requests/implementations and removed kind/bug Something isn't working as expected status/triage This issue needs to be triaged labels Apr 21, 2020
@abn abn mentioned this issue Aug 27, 2020
Draft
@finswimmer
Copy link
Member

Duplicate of #2778

@finswimmer finswimmer marked this as a duplicate of #2778 Dec 29, 2021
This was referenced Jul 18, 2022
Closed
Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 2, 2024

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/feature Feature requests/implementations
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@finswimmer @BrandonLWhite