Reputation: 3958
How to update Poetry's lock file without upgrading dependencies?
After adding a [tool.poetry.extras] section to pyproject.toml, Poetry displays the following warning, for example on install:
Warning: The lock file is not up to date with the latest changes in pyproject.toml. You may be getting outdated dependencies. Run update to update them.
That's fine, but if I run poetry update it upgrades my dependencies, which is not what I want at this time. If I run poetry lock instead, it still upgrades dependencies.
Sorry for not providing a reproducible example, it's quite tricky to generate a poetry.lock file with outdated dependencies. My existing one is too large for posting here.
Update: Opened sdispater/poetry#1614 for this issue
Upvotes: 117
Views: 230270
Answers (3)
Reputation: 38740
With poetry v2.0.0 (release date: 04.01.2025):
poetry lock
alone should be enough. As you can see in the v2 documentation:
By default, packages that have already been added to the lock file before will not be updated.
With poetry v1, the lock action defaults to updating dependencies when recreating the lockfile. There is a specific option for the lock command that prevents this:
poetry lock --no-update
This makes it possible to remove a dependency from pyproject.toml and update the lock file without upgrading dependencies.
Note that this flag is only available since 1.1.2.
Upvotes: 204
Reputation: 3958
There does not currently (as of version 1.0.0b6) seem to be any Poetry command which updates the lock file without also upgrading dependencies.
However, if your project has some up-to-date dependency foo, you can work around this limitation by invoking the following command:
poetry update foo
This will leave foo at the current version (because it is already at the latest version), and also won't touch any other dependencies. But it will synchronize the lock file with any changes to pyproject.toml.
In my own case, this command added the [extras] section to the lock file and updated the metadata content hash, without touching anything else. The lock file was now up-to-date and the warning disappeared.
Update:
A better workaround is to add and remove a package outside of the dependency tree, such as insecure-package:
poetry add insecure-package && poetry remove insecure-package
One reason why this is better is that with poetry update you need to pass exactly the same options that you originally used. More details on the GitHub issue mentioned in the question.
Upvotes: 18
Reputation: 2911
Im not sure why poetry lock is updating. The documentation does not mention that it updates the dependencies. This worked for me to remove the warning in my log outputs.
Upvotes: 0
Related Questions
- What is the difference between `poetry lock` and `poetry update --lock`?
- Warning: The lock file is not up to date with the latest changes in pyproject.toml
- Python Poetry - update -dev dependencies only to latest
- Poetry fails with "Retrieved digest for package not in poetry.lock metadata"
- Do I need to validate poetry.lock files?
- Poetry - force install when versions are incompatible?
- poetry: no way exclude dependencies for production?
- How to add kaleido package to poetry.lock file?
- Poetry - Figure out the latest version which is compatible with other dependencies
- Poetry sees an indirect dependency (numpy for python) is outdated, but doesn't update it