Announcing Poetry 1.6.0

Published on August 20, 2023 in Releases with tags 1.X 1.6

The Poetry team is pleased to announce the immediate availability of Poetry 1.6.0.

If you have a previous version of Poetry installed via the official installer, getting Poetry 1.6.0 is as easy as:

$ poetry self update

Highlights #

Official Poetry badge #

Poetry provides an official badge that can be used to indicate that a project is managed with Poetry. See the documentation for details.

Support for repositories that do not provide a supported hash algorithm #

Some outdated package indices do only provide insecure MD5 hashes. Poetry 1.6 supports these repositories by calculating a SHA256 hash for the lockfile by itself.

Note
If you care about security, you should still switch to modern package indices that provide secure hashes.

Full support for duplicate dependencies with overlapping markers #

Poetry 1.6 fully supports duplicate dependencies with overlapping markers. Therefore, it transforms a set of dependencies with overlapping markers into an equivalent set of dependencies mutually exclusive markers during dependency resolution. For example,

my-package = [
    { version = ">=1.0" },
    { version = "<2", markers = "python_version < '3.10'" },
    { version = ">=1.5", markers = "sys_platform == 'win32'" },
]

becomes

my-package = [
    { version = ">=1.0", markers = "python_version >= '3.10' and sys_platform != 'win32'" },
    { version = "<2", markers = "python_version < '3.10' and sys_platform != 'win32'" },
    { version = ">=1.5", markers = "python_version >= '3.10' and sys_platform = 'win32'" },
    { version = ">=1.5,<2", markers = "python_version < '3.10' and sys_platform == 'win32'" },
]

so that for each of the resulting markers a valid solution can be found.

If there is a conflict between the constraints of duplicate dependencies with overlapping markers, a comprehensive error message is displayed. Previously, overlapping markers could result in incorrect dependency resolutions.

Improved performance of poetry lock for certain edge cases #

Especially since the release of urllib3 2.0, Poetry has been affected by a dramatic performance regression under certain circumstances when boto3 or botocore were among the dependencies. That’s because Poetry’s algorithm decided to resolve dependencies with fewer candidates first to find conflicts faster (urllib3 has far fewer releases than boto3/botocore). However, all of the many versions of boto3/botocore are incompatible with urllib3 >= 2.0, so the algorithm has to try all of them before it chooses an older version of urllib3. Even though resolving dependencies with fewer candidates first will find conflicts a bit faster in some cases, it tends to be a lot slower in other cases. Therefore, we inverted the heuristics to resolve dependencies with more candidates first, which seems to be a bit slower in some cases, but a lot faster in other cases.

Other important Changes #

Dropping support for Python 3.7 as runtime environment #

Poetry 1.6 drops runtime support for Python 3.7.

Note
This change is about installing and running Poetry itself. Managing projects requiring Python 3.7 might still work.

Changelog #

Added #

Changed #

Fixed #

Docs #

poetry-core (1.7.0) #

poetry-plugin-export (^1.5.0) #