Version Strings Lexically Sorting so 2.2.0 < 2.2.0rc1

[medley56]

• Poetry version: Poetry (version 1.7.1)

• Python version: 3.9.18

• OS version and name: MacOS Sonoma 14.2

• pyproject.toml: https://gist.github.com/medley56/8aa8cfa915b2378f9810085055bceb5b

• I am on the latest stable Poetry version, installed using a recommended method.

• I have searched the issues of this repo and believe that this is not a duplicate.

• I have consulted the FAQ and blog for any relevant entries or release notes.

• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

Attached at the bottom is the entire output of poetry lock -vvv. The relevant portion is this:

Source (PyPI): 0 packages found for libera-utils >=2.2.0rc4,<2.2.0
Falling back to installed packages to discover metadata for libera-utils
Found 0 compatible packages for libera-utils
   2: fact: no versions of libera-utils match >=2.2.0rc4,<2.2.0
   2: conflict: no versions of libera-utils match >=2.2.0rc4,<2.2.0
   2: Version solving took 1.289 seconds.
   2: Tried 2 solutions.

Our dependency spec for the libera_utils library is: libera-utils = {version="^2.2.0rc4", allow-prereleases=true}

If you check PyPI, you will see that 2.2.0rc4 and 2.2.0 are both real versions of the libera_utils library. In Python versioning, one would expect 2.2.0 to be greater than 2.2.0rc4. However, it looks like Poetry is lexically sorting these versions, which works just fine as long as you aren't making the exact comparison I'm making here. I want to use the RC version but Poetry appears to reject it for being greater than 2.2.0.

It occurs to me that perhaps this behavior is by design. I'm not intimately familiar with the semantic versioning spec for PyPI but I would believe it if the rc syntax is actually a perversion of the specification. If that (or something similar) is the case, then I simply suggest adding a paragraph to the Poetry docs on the Dependency Specification section. I grepped through there but didn't find any mention of the rc suffix format for PyPI versions.

Lastly, if you have a recommendation on a better way to manage release candidate versions that plays better with Poetry, please guide me.

poetry-lock-vvv.log

[Secrus]

Could you remove your cache (poetry cache clear PyPI --all) and try that again?

[radoering]

That's probably nothing about the cache but about Python version specifier quirks.

The relevant parts of the log:

...
   1: fact: libera-cdk depends on libera-utils (^2.2.0rc4)
...
   1: derived: libera-utils (>=2.2.0rc4,<3.0.0)
...
Source (PyPI): 2 packages found for libera-utils >=2.2.0rc4,<3.0.0
...
   1: derived: not libera-utils (==2.2.0)
Source (PyPI): 0 packages found for libera-utils >=2.2.0rc4,<2.2.0 || >2.2.0,<3.0.0
...

We find 2 packages (2.2.0rc4 and 2.2.0) and derive that 2.2.0 is not suitable. Now, we derive that we need a version that satisfies >=2.2.0rc4,<2.2.0 (or the second part of the or that is obviously empty). However, that is just not possible because <2.2.0 does not allow 2.2.0 pre-releases according to the spec.

We'd probably need a way to distinguish between Python version specifiers < 2.2.0 and real < 2.2.0...

[dimbleby]

which sounds essentially duplicate #8475, #8405, #8202, #8617, #8758 - per python-poetry/poetry-core#645 (comment)

[medley56]

@radoering I think you have nailed it. I did not know that specific detail of exclusive ordered comparisons. This is not a Poetry problem but a user error (my error) in not understanding the details of python version specifiers. I'm going to close it.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.