Skip to content

Bump poetry from 2.2.1 to 2.3.4 in /python/helpers#14795

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/python/helpers/poetry-2.3.4
Open

Bump poetry from 2.2.1 to 2.3.4 in /python/helpers#14795
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/python/helpers/poetry-2.3.4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 22, 2026
edited
Loading

Bumps poetry from 2.2.1 to 2.3.4.

Release notes

Sourced from poetry's releases.

2.3.4

Fixed

  • Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
  • Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).

2.3.3

Fixed

  • Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
  • Fix an issue where git dependencies from annotated tags could not be updated (#10719).
  • Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
  • Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
  • Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
  • Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
  • Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

  • Clarify the differences between poetry install and poetry update (#10713).
  • Clarify the section of fields in the pyproject.toml examples (#10753).
  • Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
  • Fix the system requirements for Poetry (#10739).
  • Fix the poetry cache clear example (#10749).
  • Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

  • Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
  • Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
  • Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
  • Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
  • Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
  • Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
  • Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
  • Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
  • Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
  • Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).

2.3.2

Changed

  • Allow dulwich>=1.0 (#10701).

poetry-core (2.3.1)

  • Fix an issue where platform_release could not be parsed on Windows Server (#911).

2.3.1

Fixed

... (truncated)

Changelog

Sourced from poetry's changelog.

[2.3.4] - 2026-04-12

Fixed

  • Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
  • Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).

[2.3.3] - 2026-03-29

Fixed

  • Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
  • Fix an issue where git dependencies from annotated tags could not be updated (#10719).
  • Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
  • Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
  • Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
  • Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
  • Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

  • Clarify the differences between poetry install and poetry update (#10713).
  • Clarify the section of fields in the pyproject.toml examples (#10753).
  • Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
  • Fix the system requirements for Poetry (#10739).
  • Fix the poetry cache clear example (#10749).
  • Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

  • Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
  • Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
  • Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
  • Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
  • Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
  • Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
  • Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
  • Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
  • Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
  • Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).

[2.3.2] - 2026-02-01

Changed

  • Allow dulwich>=1.0 (#10701).

poetry-core (2.3.1)

... (truncated)

Commits
  • 7c7af71 release: bump version to 2.3.4
  • e512e7f fix: refuse to write files outside the target directory during sdist extracti...
  • 506c09d perf: use os.path.abspath() instead of Path.resolve() (#10821)
  • 3d0151a release: bump version to 2.3.3
  • 89f09aa fix long path issue on Windows (#10794)
  • e068177 installer: fix path traversal (#10792)
  • d76a2f6 chore: require new poetry-core version (#10790)
  • 859d443 Update init & new commands for PEP 639 (License) (#10787)
  • 2ff2845 fix: pass auth via Request constructor instead of calling HTTPBasicAuth on un...
  • 286e43b env: improve error handling if .venv is not a directory but a file (#10777)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies python Dependabot pull requests that update Python code labels Apr 22, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 22, 2026 14:50
@dependabot dependabot Bot added dependencies python Dependabot pull requests that update Python code labels Apr 22, 2026
@dependabot dependabot Bot mentioned this pull request Apr 22, 2026
Closed
@kbukum1
Copy link
Copy Markdown
Contributor

kbukum1 commented Apr 24, 2026

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/pip/python/helpers/poetry-2.3.4 branch from cce5061 to 7c14b28 Compare April 24, 2026 02:09
@dependabot
Bump poetry from 2.2.1 to 2.3.4 in /python/helpers
e7d9cf6 
Bumps [poetry](https://github.com/python-poetry/poetry) from 2.2.1 to 2.3.4.
- [Release notes](https://github.com/python-poetry/poetry/releases)
- [Changelog](https://github.com/python-poetry/poetry/blob/main/CHANGELOG.md)
- [Commits](python-poetry/poetry@2.2.1...2.3.4)

---
updated-dependencies:
- dependency-name: poetry
  dependency-version: 2.3.4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title build(deps): bump poetry from 2.2.1 to 2.3.4 in /python/helpers Bump poetry from 2.2.1 to 2.3.4 in /python/helpers May 20, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/python/helpers/poetry-2.3.4 branch from 7c14b28 to e7d9cf6 Compare May 20, 2026 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies L: python python Dependabot pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kbukum1