poetry-plugin-export icon indicating copy to clipboard operation
poetry-plugin-export copied to clipboard

Published 20 hours ago verified publisher icon python-poetry

Poetry export regression missing extras with 1.9.0

Open matejsp opened this issue 8 months ago • 4 comments

When upgrading to 1.9.0 from 1.8.0 I noticed that export no longer export extras correctly:

pyproject.toml

PyJWT = {extras = ["crypto"], version = "==2.9.0"}

Old export plugin 1.8.0:

pyjwt[crypto]==2.9.0 ; python_full_version >= "3.11.2" and python_version < "4" \
... hashes...

New export plugin 1.9.0

pyjwt==2.9.0 ; python_full_version >= "3.11.2" and python_version < "4" \
... hashes ...

The same is for pytest-cov:

pyproject.toml

pytest-cov = "==5.0.0"
coverage = "==7.6.1"

[[package]]
name = "pytest-cov"
version = "5.0.0"
description = "Pytest plugin for measuring coverage."
optional = false
python-versions = ">=3.8"
groups = ["dev"]
files = [
    {file = "pytest-cov-5.0.0.tar.gz", hash = "sha256:5837b58e9f6ebd335b0f8060eecce69b662415b16dc503883a02f45dfeb14857"},
    {file = "pytest_cov-5.0.0-py3-none-any.whl", hash = "sha256:bfb4269422ffaffc468f80306e00b31865025c96fd6c87d278515f11ff675750"},
]

[package.dependencies]
coverage = {version = ">=5.2.1", extras = ["toml"]}
pytest = ">=4.6"

Old export plugin 1.8.0

coverage==7.6.1 ; python_full_version >= "3.11.2" and python_version < "4" \
... hashes ...
coverage[toml]==7.6.1  ; python_full_version >= "3.11.2" and python_version < "4" \
... hashes ...
pytest-cov==5.0.0 ; python_full_version >= "3.11.2" and python_version < "4" \
... hashes ...

New export plugin 1.9.0

coverage==7.6.1 ; python_full_version >= "3.11.2" and python_version < "4" \
... hashes ...
pytest-cov==5.0.0 ; python_full_version >= "3.11.2" and python_version < "4" \
... hashes ...

Now this one is interesting because pip install with require hashes cannot install deps if not duplicated (long known unresolved bug) ... https://github.com/pypa/pip/issues/9644 https://github.com/pypa/pip/issues/12345

matejsp avatar Mar 11 '25 12:03 matejsp

I'm seeing similar behavior.

johnnagro avatar Mar 13 '25 18:03 johnnagro

Missing extras should be irrelevant. See https://github.com/python-poetry/poetry-plugin-export/issues/326#issuecomment-2674997641.

We should probably add a note in the readme that exported requirements.txt files should always be installed with --no-deps.

radoering avatar Mar 16 '25 16:03 radoering

We should probably add a note in the readme that exported requirements.txt files should always be installed with --no-deps.

#331

radoering avatar Mar 16 '25 16:03 radoering

--no-deps sounds like a OK workaround for this issue. Documenting it would be better (even in release notes because I didn't expect the change).

Docs PR seems fine but adding more switches as best practice would be even better like something in line with https://www.b-list.org/weblog/2023/dec/07/pip-install-safely/

python -m pip install \
    --require-hashes \
    --no-deps \
    --only-binary :all: \
    -r requirements/app.txt

matejsp avatar Mar 16 '25 20:03 matejsp

Docs updated in #331.

radoering avatar Aug 14 '25 13:08 radoering