Poetry updates git dependency while it's not specified in the list to update

[nariman]

• [x] I am on the latest Poetry version.
• [x] I have searched the issues of this repo and believe that this is not a duplicate.
• [x] If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• OS version and name: Probably OS Independent
• Poetry version: 0.11.5
• Link of a Gist with the contents of your pyproject.toml file: https://github.com/Roolat/concord/blob/dev/pyproject.toml

Issue

Hi.

I use Dependabot for dependency updates in my project and recently it pushed a PR with a diff, where's git dependency was updated to the latest commit along with updated package this PR has been created for. After a quick check, I found out that it's a problem in Poetry. In theory, Poetry updates git deps with a branch pin every time on update requests. But should it update git dependency if packages to update explicitly specified?

Steps to reproduce:

• Add two deps - one is a git repo with a branch pin, and other is any dependency you like (regular-package);
• Produce the environment, where git dependency is behind the latest commit in the source repo. Same for regular package (next to last version);
• poetry update regular-package

Git dependency will be updated as well. You can use a PR mentioned before to test on it, if needed. This PR is based on a commit, where's multiple packages needs to be updated by today.

[nariman]

Oh, I just tried to reproduce this bug with a clear install of dependencies first (I tested issue in a container where git dependency has been already installed, that's why I reproduced it before) and it looks like I encountered another bug. Poetry just ignores revision for git dependency from lock file and always installs latest commit. 🤔 Not an expected behavior.

[nariman]

@sdispater Add info is here, that may help, I hope.

After some digging into the resolution process, I found out the next.

1. Folder packages (probably, file packages too) always will be updated in case if version has bumped, by the reason, that on the package version choosing step, we can't get metadata about the package from the past, results in Provider provides us a new version. Maybe, it's okay, b/c there's no way to read files from the past, but, I think, Poetry should check the installed packages list, if it's possible to get info from it, and do nothing, if package is installed. The problem here is to not update a package that is not requested to be updated. This is just a spontaneous find, due to I've used folder package as a regular to reproduce the source issue. https://github.com/sdispater/poetry/blob/611c38b5a60561408fa1c3c3f4b4875a4c610350/poetry/mixology/version_solver.py#L351-L366
2. The same behavior for git deps.
3. File, folder or git deps will not be updated, in case if version hasn't bumped, even if requested. There's already another issue created (#467).

And, referencing the comment I wrote 3 weeks ago, I'm pretty sure it's ok to install newer version (ignoring lockfile) on dependencies like folder, file, or git on poetry install command. Just a little strange for git, because Poetry saves reference to a commit.

[sdispater]

Could you test again with the latest stable release, and also with the latest 1.0.0 prerelease to see if the issue still occurs. Closing this for now but feel free to reopen if the issue still occurs

[mozesa]

Hello,

I am regarded by this issue.

Python: 3.8.2. Poetry: 1.0.5 OS: Windows 10

[tool.poetry.dependencies]
python = "^3.8"
trio = "^0.13.0"
trio_typing = "^0.4.0"
confuse = "^1.1.0"
attrs = "^19.3.0"
SQLAlchemy = "^1.3.16"
marshmallow-sqlalchemy = "^0.22.3"
punq = "^0.4.1"
kivy = { url = "https://kivy.org/downloads/ci/win/kivy/Kivy-2.0.0rc1-cp38-cp38-win_amd64.whl" }
"kivy_deps.glew" = "^0.2.0"
"kivy_deps.sdl2" = "^0.2.0"
kivymd = { git = "https://github.com/HeaTTheatR/KivyMD.git", rev = "6c5ca0e269d77062f059ebd0b1e6bd44906c5d38" }
atlas-copco = { url = "http://mes.simple.hu:83/atlas_copco/atlas_copco-0.1.1.tar.gz" }
cognex = {url = "http://mes.simple.hu:83/cognex/cognex-0.1.2.tar.gz"}
yocto = { url = "http://mes.simple.hu:83/yocto/yocto-0.1.1.tar.gz" }
zebra = { url = "http://mes.simple.hu:83/zebra/zebra-0.1.1.tar.gz" }
mysql-connector-python = "^8.0.19"

Now whenever I issue poetry add a_package it installs the any_package then updates the others.

Here is an example:

(venv) C:\Users\***\PycharmProjects\V316-Production-Line>poetry add mysql-connector-python
Using version ^8.0.19 for mysql-connector-python

Updating dependencies
Resolving dependencies...

Writing lock file

Package operations: 4 installs, 5 updates, 0 removals

  - Installing six (1.14.0)
  - Installing dnspython (1.16.0)
  - Updating Kivy (2.0.0rc1 -> 2.0.0rc1 https://kivy.org/downloads/ci/win/kivy/Kivy-2.0.0rc1-cp38-cp38-win_amd64.whl)
  - Installing protobuf (3.6.1)
  - Updating atlas-copco (0.1.1 -> 0.1.1 http://mes.simple.hu:83/atlas_copco/atlas_copco-0.1.1.tar.gz)
  - Updating cognex (0.1.2 -> 0.1.2 http://mes.simple.hu:83/cognex/cognex-0.1.2.tar.gz)
  - Updating yocto (0.1.1 -> 0.1.1 http://mes.simple.hu:83/yocto/yocto-0.1.1.tar.gz)
  - Updating zebra (0.1.1 -> 0.1.1 http://mes.simple.hu:83/zebra/zebra-0.1.1.tar.gz)
  - Installing mysql-connector-python (8.0.19)

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.