Poetry is a tool for dependency management and packaging in Python.
Find files named pyproject.toml
and poetry.lock
. Pyproject must also use poetry for the build system. If Pyproject does not use poetry build system - project will not be discovered.
We parse pyproject.toml
to find direct dependencies and their version constraints:
[tool.poetry.dependencies]
- production dependencies[tool.poetry.dev-dependencies]
- development dependencies
If poetry.lock
file is discovered, following will be analyzed from lockfile to supplement the analyses:
[package.dependencies]
- package's dependenciespackage.category
- package's environment (dev, test, etc.)package.name
- name of the packagepackage.version
- resolved version of the package
If poetry.lock
file is not discovered, we fallback to reporting only direct dependencies parsed from pyproject.toml
.
Strategy | Direct Deps | Deep Deps | Edges |
---|---|---|---|
pyproject.toml and poetry.lock are discovered |
✔️ | ✔️ | ✔️ |
Only pyproject.toml is discovered |
✔️ | ❌ | ❌ |
Only poetry.lock is discovered |
❌ | ❌ | ❌ |
- ✔️ - Supported in all projects
- ❌ - Not Supported
- For poetry project, build system's
build-backend
must be set topoetry.core.masonry.api
orpoetry.masonry.api
inpyproject.toml
. If not done so, it will not discover the project. Refer to Poetry and PEP-517 for more details. - All extras specified in
[tool.poetry.extras]
are currently not reported. - Any path dependencies will not be reported.
pyproject.toml
file (created by poetry init
and adding relevant dependencies)
[tool.poetry]
authors = ["User <user@example.com>"]
description = "Example poetry usage"
name = "example-poetry-usage"
version = "0.1.0"
[tool.poetry.dependencies]
loguru = "^0.5"
networkx = {git = "https://github.com/networkx/networkx.git", branch = "v1.10"}
python = "^3.9"
[tool.poetry.dev-dependencies]
flake8 = "3.9.2"
[build-system]
build-backend = "poetry.core.masonry.api"
requires = ["poetry-core>=1.0.0"]
and accompanying poetry.lock file (created by poetry at time of dependency resolution)
[[package]]
name = "colorama"
version = "0.4.4"
description = "Cross-platform colored terminal text."
category = "main"
optional = false
python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
[[package]]
name = "decorator"
version = "5.0.9"
description = "Decorators for Humans"
category = "main"
optional = false
python-versions = ">=3.5"
[[package]]
name = "flake8"
version = "3.9.2"
description = "the modular source code checker: pep8 pyflakes and co"
category = "dev"
optional = false
python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,>=2.7"
[package.dependencies]
mccabe = ">=0.6.0,<0.7.0"
pycodestyle = ">=2.7.0,<2.8.0"
pyflakes = ">=2.3.0,<2.4.0"
[[package]]
name = "loguru"
version = "0.5.3"
description = "Python logging made (stupidly) simple"
category = "main"
optional = false
python-versions = ">=3.5"
[package.dependencies]
colorama = {version = ">=0.3.4", markers = "sys_platform == \"win32\""}
win32-setctime = {version = ">=1.0.0", markers = "sys_platform == \"win32\""}
[package.extras]
dev = ["codecov (>=2.0.15)", "colorama (>=0.3.4)", "flake8 (>=3.7.7)", "tox (>=3.9.0)", "tox-travis (>=0.12)", "pytest (>=4.6.2)", "pytest-cov (>=2.7.1)", "Sphinx (>=2.2.1)", "sphinx-autobuild (>=0.7.1)", "sphinx-rtd-theme (>=0.4.3)", "black (>=19.10b0)", "isort (>=5.1.1)"]
[[package]]
name = "mccabe"
version = "0.6.1"
description = "McCabe checker, plugin for flake8"
category = "dev"
optional = false
python-versions = "*"
[[package]]
name = "networkx"
version = "1.10"
description = "Python package for creating and manipulating graphs and networks"
category = "main"
optional = false
python-versions = "*"
develop = false
[package.dependencies]
decorator = ">=3.4.0"
[package.source]
type = "git"
url = "https://github.com/networkx/networkx.git"
reference = "v1.10"
resolved_reference = "4d364bfcee7b24f3df137e8dcd36f7a547892e55"
[[package]]
name = "pycodestyle"
version = "2.7.0"
description = "Python style guide checker"
category = "dev"
optional = false
python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
[[package]]
name = "pyflakes"
version = "2.3.1"
description = "passive checker of Python programs"
category = "dev"
optional = false
python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
[[package]]
name = "win32-setctime"
version = "1.0.3"
description = "A small Python utility to set file creation time on Windows"
category = "main"
optional = false
python-versions = ">=3.5"
[package.extras]
dev = ["pytest (>=4.6.2)", "black (>=19.3b0)"]
[metadata]
lock-version = "1.1"
python-versions = "^3.9"
content-hash = "31cb32d5165d1cc95e45e9d3e839af556f548df74dda74e25a02b79ba5aa5948"
# [metadata.files] not shown for brevity
We will produce the following dependency graph, from our analyses if both poetry.lock
and pyproject.toml
are discovered.
Dependencies highlighted in yellow boxes are direct dependencies, rest are deep dependencies.
If only, pyproject.toml
is discovered, following dependency graph will be produced.
Dependencies highlighted in yellow boxes are direct dependencies, rest are deep dependencies.
Without poetry.lock
we are not able to identify any deep dependencies. We are also unable to locally resolve dependency when version ranges are provided, like loguru = "^0.5"
.