poetry icon indicating copy to clipboard operation
poetry copied to clipboard
verified publisher icon python-poetry

Interactive dependency prompt accepts invalid version strings

Open nk9 opened this issue 2 years ago • 1 comments

  • Poetry version: 1.2.2
  • Python version: 3.10.10
  • OS version and name: macOS Sonoma 14.1.2
  • pyproject.toml: https://gist.github.com/nk9/4fa6fe37487d50308deacd425c8ade16
  • [x] I am on the latest stable Poetry version, installed using a recommended method.
  • [x] I have searched the issues of this repo and believe that this is not a duplicate.
  • [x] I have consulted the FAQ and blog for any relevant entries or release notes.
  • [ ] If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

When using the interactive package adding flow, it's possible to enter a version which isn't semver compatible. For example, I missed that I was being asked for a version, and instead typed the name of the next package I wanted to add:

Add a package (leave blank to skip): flake8
Found 20 packages matching flake8
Showing the first 10 matches

Enter package # to add, or the complete package name if it is not listed []:
 [ 0] flake8
 [ 1] flake9
 [ 2] flake518
 [ 3] flake99
 [ 4] flake64
 [ 5] flake82
 [ 6] flake8-2020
 [ 7] flake8-zale
 [ 8] flake8-return
 [ 9] flake2lint
 [10]
 > 0
Enter the version constraint to require (or leave blank to use the latest version): isort

Poetry dutifully put "isort" as the version for the flake8 package, which of course doesn't exist. So when I tried to remove the dependency, it wouldn't let me:

$ poetry remove --group dev flake8
Could not parse version constraint: isort

Proposed solution

I believe it's theoretically possible for packages to use non-semver strings for their versions, but in practice I believe that is vanishingly rare. So while it may not be possible to require a semver string for the interactive flow, it seems like Poetry should be skeptical of a non-semver string and ask for confirmation that the user really wants to do that. Anyway, when using the interactive flow, I wouldn't expect Poetry to let me create a file which it can't then parse correctly.

nk9 avatar Dec 15 '23 13:12 nk9

from poetry.core.constraints.version import parse_constraint and do the validation round about here

please make a merge request

dimbleby avatar Dec 15 '23 14:12 dimbleby