75

After adding a [tool.poetry.extras] section to pyproject.toml, Poetry displays the following warning, for example on install:

Warning: The lock file is not up to date with the latest changes in pyproject.toml. You may be getting outdated dependencies. Run update to update them.

That's fine, but if I run poetry update it upgrades my dependencies, which is not what I want at this time. If I run poetry lock instead, it still upgrades dependencies.

Sorry for not providing a reproducible example, it's quite tricky to generate a poetry.lock file with outdated dependencies. My existing one is too large for posting here.

Update: Opened sdispater/poetry#1614 for this issue

Claudio
  • 3,089
  • 2
  • 18
  • 22

3 Answers3

136

There is a specific option for the lock command:

poetry lock --no-update

This makes it possible to remove a dependency from pyproject.toml and update the lock file without upgrading dependencies.

Note that this is only available since 1.1.2 (or earlier?) and that the behavior will be changed in v2.0.

slhck
  • 36,575
  • 28
  • 148
  • 201
13

There does not currently (as of version 1.0.0b6) seem to be any Poetry command which updates the lock file without also upgrading dependencies.

However, if your project has some up-to-date dependency foo, you can work around this limitation by invoking the following command:

poetry update foo

This will leave foo at the current version (because it is already at the latest version), and also won't touch any other dependencies. But it will synchronize the lock file with any changes to pyproject.toml.

In my own case, this command added the [extras] section to the lock file and updated the metadata content hash, without touching anything else. The lock file was now up-to-date and the warning disappeared.

Update:

A better workaround is to add and remove a package outside of the dependency tree, such as insecure-package:

poetry add insecure-package && poetry remove insecure-package

One reason why this is better is that with poetry update you need to pass exactly the same options that you originally used. More details on the GitHub issue mentioned in the question.

Claudio
  • 3,089
  • 2
  • 18
  • 22
0

Im not sure why poetry lock is updating. The documentation does not mention that it updates the dependencies. This worked for me to remove the warning in my log outputs.

Chad Van De Hey
  • 2,716
  • 3
  • 29
  • 46
  • 10
    Your answer is now outdated, there is a `--no-update` option. – slhck Nov 05 '20 at 15:36
  • Here is the latest docs, "By default, this will lock all dependencies to the latest available compatible versions. To only refresh the lock file, use the --no-update option. This command is also available as a pre-commit hook. See pre-commit hooks for more information." – sinwoobang Mar 09 '23 at 07:36