Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update the lock file without upgrading dependencies #1614

Open
cjolowicz opened this issue Nov 21, 2019 · 5 comments
Open

Update the lock file without upgrading dependencies #1614

cjolowicz opened this issue Nov 21, 2019 · 5 comments
Labels

Comments

@cjolowicz
Copy link

@cjolowicz cjolowicz commented Nov 21, 2019

  • I have searched the issues of this repo and believe that this is not a duplicate.
  • I have searched the documentation and believe that my question is not covered.

Feature Request

Please provide a way to update the lock file without upgrading dependencies.

After adding a [tool.poetry.extras] section to pyproject.toml, Poetry displays the following warning, for example on install:

Warning: The lock file is not up to date with the latest changes in pyproject.toml. You may be getting outdated dependencies. Run update to update them.

That's fine, but if I run poetry update it upgrades my dependencies, which is not what I want at this time. If I run poetry lock instead, it still upgrades dependencies. Am I missing something?

Here are the relevant files and the commit:

Sorry for not providing a smaller reproducible example, it's quite tricky to generate a poetry.lock file with outdated dependencies.

@cjolowicz cjolowicz added the Feature label Nov 21, 2019
@finswimmer

This comment has been minimized.

Copy link
Member

@finswimmer finswimmer commented Nov 21, 2019

Hello @cjolowicz ,

have you tried running poetry install after poetry lock?

Which version of poetry do you use?

fin swimmer

@cjolowicz

This comment has been minimized.

Copy link
Author

@cjolowicz cjolowicz commented Nov 21, 2019

Hi @finswimmer, thanks for your reply!

I just reproduced this with Poetry 1.0.0b6. Originally I was on 1.0.0b4 when filing this issue.

To reproduce, clone my repository and check out b778b99. Invoke poetry lock, then git diff. The diff shows that Poetry added an [extras] section to the lock file (as it should have), but also upgraded several packages (pyparsing 2.4.4 -> 2.4.5, pytest 5.2.2 -> 5.3.0, pytest-mock 1.11.2 -> 1.12.1, xdoctest 0.10.2 -> 0.10.3).

I don't understand how running poetry install after poetry lock has any bearing on this. My issue is that there is no method to synchronize the lock file with pyproject.toml without also upgrading dependencies.

If I run poetry install after poetry lock, as you suggest, it installs any upgraded packages into the virtualenv. The modifications to the lock file (including dependency upgrades) remain, as would be expected.

@cjolowicz

This comment has been minimized.

Copy link
Author

@cjolowicz cjolowicz commented Nov 21, 2019

I just found a way to "trick" Poetry into doing this: Invoke poetry update foo where foo is some dependency that is already up-to-date. In my example repository, this would be poetry update click. This will add the [extras] section to the lock file and update the metadata content hash, without upgrading any dependencies.

@finswimmer

This comment has been minimized.

Copy link
Member

@finswimmer finswimmer commented Nov 21, 2019

Sorry, it was my misunderstanding about what poetry lock is doing. It actually build the dependency tree based on the pyproject.toml from the scratch and doesn't take into account what's already in the lock file.

AFAIK at the moment there is no way to sync between pyproject.toml and poetry.lock. I thought there was already a discussion somewhere about this. But I couldn't find it.

Maybe two ways to go at the moment:

  1. If you really need to stick at the currently used versions, write them as versions constrains in your pyproject.toml

or

  1. Identify the newly added packages in the pyproject.toml, remove the corresponding lines and use poetry add to add them again.
@absassi

This comment has been minimized.

Copy link

@absassi absassi commented Nov 28, 2019

The trick by @cjolowicz to run poetry update foo (which is a sign that code to recompute the lock file without updating packages is there, it's just that there is no command to run it) seems to work quite well.

However, on some cases, it loses markers and extras of dependencies that were not "updated". One option is to pass all those dependencies in the same update command, if possible (i.e. if they are already up-to-date). Otherwise, one has to be careful and discard these unexpected changes in poetry.lock.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.