Simple script that will take a pyproject.toml and a poetry.lock and generate a new poetry project where all the lock versions are pinned dependencies.
In theory this will allow you to transport your lock file to any system that is able to install python packages and dependencies.
After installation, the command poetry-lock-package should be run next to your pyproject.toml and poetry.lock files and will generate a subdirectory with a pyproject.toml requiring all the dependencies of the lock file.
Simply enter the subdirectory, build and publish the package and you have a '-lock' package that depends on all the exact versions from your lock file.
The example workflow below will add poetry-lock-package as a dev dependency, allowing poetry run to find the command.
First create a new poetry project
poetry new example-package
cd example-package
Add some dependencies, and see what we have build so far
poetry add loguru click
poetry install
poetry build
ls dist
Add poetry-lock-package to allow for poetry run to find the entry point script:
poetry add --dev poetry-lock-package
Finally build the lock package and see what we have gotten
poetry run poetry-lock-package --build
ls -al dist
You will now have two wheel files in your dist folder: one with the project code, one name example-package-lock which depends on the exact version of all the packages specified in your poetry.lock file.
--no-rootDefault behavior is to have the lock package depend on the original package the lock was created for. If you have a private repository, this will allow you to publish both packages to the private repository and only require you to point at one package to install everything.
If you want to be able to install the dependencies, but not the package itself, you can use the --no-root command line argument to stop poetry-lock-package from adding your root project to the lock package dependencies.
--ignoreIf you want to allow pip to have freedom in selecting a package, or you expect to deploy in an environment that already has the right version installed, you can opt to use --ignore to remove that dependency from the lock package pinned dependencies.
Because poetry-lock-package is aware of the dependency graph, it will not only skip locking the dependency but also transitive dependencies.
Open an issue
Create an associated PR
Make sure to black format the proposed change
poetry run pre-commit install
Add tests where possible
GPLv3, use at your own risk.
FAQs
Poetry lock package generator
We found that poetry-lock-package demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.