How to update Poetry's lock file without upgrading dependencies?
Question:
After adding a [tool.poetry.extras]
section to pyproject.toml
, Poetry displays the following warning, for example on install:
Warning: The lock file is not up to date with the latest changes in pyproject.toml. You may be getting outdated dependencies. Run update to update them.
That’s fine, but if I run poetry update
it upgrades my dependencies, which is not what I want at this time. If I run poetry lock
instead, it still upgrades dependencies.
Sorry for not providing a reproducible example, it’s quite tricky to generate a poetry.lock file with outdated dependencies. My existing one is too large for posting here.
Update: Opened sdispater/poetry#1614 for this issue
Answers:
There does not currently (as of version 1.0.0b6
) seem to be any Poetry command which updates the lock file without also upgrading dependencies.
However, if your project has some up-to-date dependency foo
, you can work around this limitation by invoking the following command:
poetry update foo
This will leave foo
at the current version (because it is already at the latest version), and also won’t touch any other dependencies. But it will synchronize the lock file with any changes to pyproject.toml
.
In my own case, this command added the [extras]
section to the lock file and updated the metadata content hash, without touching anything else. The lock file was now up-to-date and the warning disappeared.
Update:
A better workaround is to add and remove a package outside of the dependency tree, such as insecure-package:
poetry add insecure-package && poetry remove insecure-package
One reason why this is better is that with poetry update
you need to pass exactly the same options that you originally used. More details on the GitHub issue mentioned in the question.
Im not sure why poetry lock
is updating. The documentation does not mention that it updates the dependencies. This worked for me to remove the warning in my log outputs.
There is a specific option for the lock
command:
poetry lock --no-update
This makes it possible to remove a dependency from pyproject.toml
and update the lock file without upgrading dependencies.
Note that this is only available since 1.1.2 (or earlier?) and that the behavior will be changed in v2.0.
After adding a [tool.poetry.extras]
section to pyproject.toml
, Poetry displays the following warning, for example on install:
Warning: The lock file is not up to date with the latest changes in pyproject.toml. You may be getting outdated dependencies. Run update to update them.
That’s fine, but if I run poetry update
it upgrades my dependencies, which is not what I want at this time. If I run poetry lock
instead, it still upgrades dependencies.
Sorry for not providing a reproducible example, it’s quite tricky to generate a poetry.lock file with outdated dependencies. My existing one is too large for posting here.
Update: Opened sdispater/poetry#1614 for this issue
There does not currently (as of version 1.0.0b6
) seem to be any Poetry command which updates the lock file without also upgrading dependencies.
However, if your project has some up-to-date dependency foo
, you can work around this limitation by invoking the following command:
poetry update foo
This will leave foo
at the current version (because it is already at the latest version), and also won’t touch any other dependencies. But it will synchronize the lock file with any changes to pyproject.toml
.
In my own case, this command added the [extras]
section to the lock file and updated the metadata content hash, without touching anything else. The lock file was now up-to-date and the warning disappeared.
Update:
A better workaround is to add and remove a package outside of the dependency tree, such as insecure-package:
poetry add insecure-package && poetry remove insecure-package
One reason why this is better is that with poetry update
you need to pass exactly the same options that you originally used. More details on the GitHub issue mentioned in the question.
Im not sure why poetry lock
is updating. The documentation does not mention that it updates the dependencies. This worked for me to remove the warning in my log outputs.
There is a specific option for the lock
command:
poetry lock --no-update
This makes it possible to remove a dependency from pyproject.toml
and update the lock file without upgrading dependencies.
Note that this is only available since 1.1.2 (or earlier?) and that the behavior will be changed in v2.0.