Merge branch 'main' into lfs

Author: jelmer

.github/workflows/docs.yaml

@@ -49,7 +49,7 @@ jobs:
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: "18"
+          node-version: "22"
 
       - uses: ./poetry-github/.github/actions/bootstrap-poetry
 
@@ -68,7 +68,7 @@ jobs:
 
       - uses: amondnet/vercel-action@c71810f8732de6b8656e41155e63b6303ca3e4bf # v42.1.0
         with:
-          vercel-version: 48.12.1
+          vercel-version: 50.44.0
           vercel-token: ${{ secrets.VERCEL_TOKEN }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
           vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}

CHANGELOG.md

@@ -1,5 +1,49 @@
 # Change Log
 
+## [2.4.0] - 2026-05-03
+
+### Added
+
+- Add `solver.min-release-age` setting to require package releases to be a certain number of days old before they are considered during dependency resolution ([#10824](https://github.com/python-poetry/poetry/pull/10824)).
+- Add `solver.min-release-age-exclude` to exclude selected packages from age filtering ([#10824](https://github.com/python-poetry/poetry/pull/10824)).
+- Add `solver.min-release-age-exclude-source` to exclude all packages from selected package indexes from age filtering ([#10824](https://github.com/python-poetry/poetry/pull/10824)).
+
+### Changed
+
+- Raise an error instead of silently ignoring a package name that is not a dependency when it is passed to `poetry update` ([#10721](https://github.com/python-poetry/poetry/pull/10721)).
+- Automatically add a trailing slash to legacy repository URLs (used for publishing) if missing ([#10785](https://github.com/python-poetry/poetry/pull/10785)).
+- Require `installer>=1.0.0` ([#10869](https://github.com/python-poetry/poetry/pull/10869)).
+- Allow `findpython>=0.8` ([#10874](https://github.com/python-poetry/poetry/pull/10874)).
+
+### Fixed
+
+- Fix an issue where `requires-plugins` fails on Windows if scheme paths are on different drives ([#10869](https://github.com/python-poetry/poetry/pull/10869)).
+- Fix an issue where the order of markers in the lock file was not deterministic ([#10720](https://github.com/python-poetry/poetry/pull/10720)).
+- Fix an issue where the wrong command was suggested when `poetry self` commands failed due to an outdated lock file ([#10715](https://github.com/python-poetry/poetry/pull/10715)).
+- Fix an issue where `poetry env activate` did not work for bash on Windows ([#10716](https://github.com/python-poetry/poetry/pull/10716)).
+- Fix an issue where `poetry debug resolve` failed when there was a package with a marker ([#10807](https://github.com/python-poetry/poetry/pull/10807)).
+- Fix an issue where the error message about a build backend failure contained garbled `--config-settings` ([#10804](https://github.com/python-poetry/poetry/pull/10804)).
+- Fix an issue where a false warning about a circular dependency was printed ([#10811](https://github.com/python-poetry/poetry/pull/10811)).
+- Fix an issue where falsy config values were incorrectly treated as not set ([#10808](https://github.com/python-poetry/poetry/pull/10808)).
+- Fix an issue where `poetry publish --build` ignored failing builds and uploaded stale artifacts ([#10802](https://github.com/python-poetry/poetry/pull/10802)).
+- Fix an issue where `poetry publish` was aborted instead of retrying after package registration ([#10801](https://github.com/python-poetry/poetry/pull/10801)).
+- Fix an issue where zip files were not closed after fetching metadata via `lazy-wheel` ([#10800](https://github.com/python-poetry/poetry/pull/10800)).
+- Fix an issue where data fetched via `lazy-wheel` was corrupted when part of it had already been cached ([#10806](https://github.com/python-poetry/poetry/pull/10806)).
+- Fix an issue where further packages were installed even though installation should be aborted ([#10742](https://github.com/python-poetry/poetry/pull/10742)).
+- Fix an issue where installed packages without a `METADATA` file caused an exception on Python 3.15+ ([#10860](https://github.com/python-poetry/poetry/pull/10860)).
+- Fix an issue where `http-basic` could not be set for repository names with periods ([#10845](https://github.com/python-poetry/poetry/pull/10845)).
+- Fix an issue where calculating the hash of large wheels failed with a memory error ([#10814](https://github.com/python-poetry/poetry/pull/10814)).
+
+### Docs
+
+- Clarify the precedence of configuration sources ([#10757](https://github.com/python-poetry/poetry/pull/10757)).
+- Add a note about the influence of `.gitignore` on `tool.poetry.packages` ([#10835](https://github.com/python-poetry/poetry/pull/10835)).
+
+### poetry-core ([`2.4.0`](https://github.com/python-poetry/poetry-core/releases/tag/2.4.0))
+
+- Update vendored `packaging` to `26.2` ([#936](https://github.com/python-poetry/poetry-core/pull/936)).
+
+
 ## [2.3.4] - 2026-04-12
 
 ### Fixed
@@ -2701,7 +2745,8 @@ Initial release
 
 
 
-[Unreleased]: https://github.com/python-poetry/poetry/compare/2.3.4...main
+[Unreleased]: https://github.com/python-poetry/poetry/compare/2.4.0...main
+[2.4.0]: https://github.com/python-poetry/poetry/releases/tag/2.4.0
 [2.3.4]: https://github.com/python-poetry/poetry/releases/tag/2.3.4
 [2.3.3]: https://github.com/python-poetry/poetry/releases/tag/2.3.3
 [2.3.2]: https://github.com/python-poetry/poetry/releases/tag/2.3.2

docs/configuration.md

@@ -409,6 +409,73 @@ Especially with slow network connections, this setting can speed up dependency r
 If the cache has already been filled or the server does not support HTTP range requests,
 this setting makes no difference.
 
+### `solver.min-release-age`
+
+**Type**: `int`
+
+**Default**: `0`
+
+**Environment Variable**: `POETRY_SOLVER_MIN_RELEASE_AGE`
+
+*Introduced in 2.4.0*
+
+Minimum age of a package release in **days** before it is considered during dependency resolution.
+When set, any package version where at least one distribution file was uploaded more recently
+than the specified number of days ago will be ignored by the solver.
+
+For example, with a value of `7`, a version is only considered
+if all known distribution files are at least seven days old.
+If the option is not set or set to `0`, all versions are considered.
+
+This option is useful to protect against supply chain attacks where a new release
+of a dependency is published with malicious code.
+This is often detected within hours or days and the compromised release is removed.
+
+{{% note %}}
+This filter can only be enforced for package sources that expose file upload timestamps.
+If a source does not provide upload times for a release,
+that release is not filtered out by this setting.
+{{% /note %}}
+
+### `solver.min-release-age-exclude`
+
+**Type**: `string`
+
+**Default**: *not set*
+
+**Environment Variable**: `POETRY_SOLVER_MIN_RELEASE_AGE_EXCLUDE`
+
+*Introduced in 2.4.0*
+
+A comma-separated list of package names that should be excluded from the
+[`solver.min-release-age`](#solvermin-release-age) filter.
+Versions of these packages will always be considered by the solver,
+regardless of their upload age.
+
+```bash
+poetry config solver.min-release-age-exclude "my-package,other-package"
+```
+
+### `solver.min-release-age-exclude-source`
+
+**Type**: `string`
+
+**Default**: *not set*
+
+**Environment Variable**: `POETRY_SOLVER_MIN_RELEASE_AGE_EXCLUDE_SOURCE`
+
+*Introduced in 2.4.0*
+
+A comma-separated list of source names or URLs that should be excluded from the
+[`solver.min-release-age`](#solvermin-release-age) filter.
+All packages from these sources will always be considered by the solver,
+regardless of their upload age.
+Sources can be referenced by the name defined in `pyproject.toml` or by URL.
+
+```bash
+poetry config solver.min-release-age-exclude-source "private-repo,https://example.com/simple/"
+```
+
 ### `system-git-client`
 
 **Type**: `boolean`