Skip to content

Bump poetry from 1.4.2 to 2.3.4#941

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/poetry-2.3.4
Open

Bump poetry from 1.4.2 to 2.3.4#941
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/poetry-2.3.4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 22, 2026
edited by cursor Bot
Loading

Bumps poetry from 1.4.2 to 2.3.4.

Release notes

Sourced from poetry's releases.

2.3.4

Fixed

  • Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
  • Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).

2.3.3

Fixed

  • Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
  • Fix an issue where git dependencies from annotated tags could not be updated (#10719).
  • Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
  • Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
  • Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
  • Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
  • Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

  • Clarify the differences between poetry install and poetry update (#10713).
  • Clarify the section of fields in the pyproject.toml examples (#10753).
  • Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
  • Fix the system requirements for Poetry (#10739).
  • Fix the poetry cache clear example (#10749).
  • Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

  • Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
  • Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
  • Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
  • Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
  • Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
  • Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
  • Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
  • Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
  • Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
  • Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).

2.3.2

Changed

  • Allow dulwich>=1.0 (#10701).

poetry-core (2.3.1)

  • Fix an issue where platform_release could not be parsed on Windows Server (#911).

2.3.1

Fixed

... (truncated)

Changelog

Sourced from poetry's changelog.

[2.3.4] - 2026-04-12

Fixed

  • Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
  • Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).

[2.3.3] - 2026-03-29

Fixed

  • Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
  • Fix an issue where git dependencies from annotated tags could not be updated (#10719).
  • Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
  • Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
  • Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
  • Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
  • Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

  • Clarify the differences between poetry install and poetry update (#10713).
  • Clarify the section of fields in the pyproject.toml examples (#10753).
  • Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
  • Fix the system requirements for Poetry (#10739).
  • Fix the poetry cache clear example (#10749).
  • Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

  • Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
  • Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
  • Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
  • Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
  • Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
  • Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
  • Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
  • Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
  • Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
  • Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).

[2.3.2] - 2026-02-01

Changed

  • Allow dulwich>=1.0 (#10701).

poetry-core (2.3.1)

... (truncated)

Commits
  • 7c7af71 release: bump version to 2.3.4
  • e512e7f fix: refuse to write files outside the target directory during sdist extracti...
  • 506c09d perf: use os.path.abspath() instead of Path.resolve() (#10821)
  • 3d0151a release: bump version to 2.3.3
  • 89f09aa fix long path issue on Windows (#10794)
  • e068177 installer: fix path traversal (#10792)
  • d76a2f6 chore: require new poetry-core version (#10790)
  • 859d443 Update init & new commands for PEP 639 (License) (#10787)
  • 2ff2845 fix: pass auth via Request constructor instead of calling HTTPBasicAuth on un...
  • 286e43b env: improve error handling if .venv is not a directory but a file (#10777)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Low risk dependency pin update in requirements.txt; main impact is potential CI/build environment changes if Poetry 2.x behavior differs from 1.x.

Overview
Updates the pinned Poetry version in requirements.txt from 1.4.2 to 2.3.4.

Reviewed by Cursor Bugbot for commit c35f26d. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
Bump poetry from 1.4.2 to 2.3.4
c35f26d 
Bumps [poetry](https://github.com/python-poetry/poetry) from 1.4.2 to 2.3.4.
- [Release notes](https://github.com/python-poetry/poetry/releases)
- [Changelog](https://github.com/python-poetry/poetry/blob/main/CHANGELOG.md)
- [Commits](python-poetry/poetry@1.4.2...2.3.4)

---
updated-dependencies:
- dependency-name: poetry
  dependency-version: 2.3.4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Apr 22, 2026
@dependabot dependabot Bot mentioned this pull request Apr 22, 2026
Closed
@jit-ci
Copy link
Copy Markdown

jit-ci Bot commented Apr 22, 2026

❌ Jit Scanner failed - Our team is investigating

Jit Scanner failed - Our team has been notified and is working to resolve the issue. Please contact support if you have any questions.

💡 Need to bypass this check? Comment @sera bypass to override.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants