fix(deps): update dependencies (minor)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
poetry (changelog)	2.1.4 → 2.3.4				minor
public.ecr.aws/lambda/python	3.13 → 3.14			final	minor
python	~3.13.0 → ~3.14.0			dependencies	minor
python	3.13 → 3.14.4				minor

---

Release Notes

python-poetry/poetry (poetry)

v2.3.4

Compare Source

Fixed

• Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#​10821).
• Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#​10837).

v2.3.3

Compare Source

Fixed

• Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#​10792).
• Fix an issue where git dependencies from annotated tags could not be updated (#​10719).
• Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#​10784).
• Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#​10777).
• Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#​10748).
• Fix an issue where poetry publish --no-interaction --build requested user interaction (#​10769).
• Fix an issue where poetry init and poetry new created a deprecated project.license format (#​10787).

Docs

• Clarify the differences between poetry install and poetry update (#​10713).
• Clarify the section of fields in the pyproject.toml examples (#​10753).
• Add a note about the different installation location when Python from the Microsoft Store is used (#​10759).
• Fix the system requirements for Poetry (#​10739).
• Fix the poetry cache clear example (#​10749).
• Fix the link to pipx installation instructions (#​10783).

poetry-core (2.3.2)

• Fix an issue where platform_release could not be parsed on Debian Trixie (#​930).
• Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#​914).
• Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#​919).
• Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#​922).
• Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#​924).
• Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#​925).
• Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#​921).
• Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#​920).
• Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#​929).
• Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#​927).

v2.3.2

Compare Source

Changed

• Allow dulwich>=1.0 (#​10701).

poetry-core (2.3.1)

• Fix an issue where platform_release could not be parsed on Windows Server (#​911).

v2.3.1

Compare Source

Fixed

• Fix an issue where cached information about each package was always considered outdated (#​10699).

Docs

• Document SHELL_VERBOSITY environment variable (#​10678).

v2.3.0

Compare Source

Added

• Add support for exporting pylock.toml files with poetry-plugin-export (#​10677).
• Add support for specifying build constraints for dependencies (#​10388).
• Add support for publishing artifacts whose version is determined dynamically by the build-backend (#​10644).
• Add support for editable project plugins (#​10661).
• Check requires-poetry before any other validation (#​10593).
• Validate the content of project.readme when running poetry check (#​10604).
• Add the option to clear all caches by making the cache name in poetry cache clear optional (#​10627).
• Automatically update the cache for packages where the locked files differ from cached files (#​10657).
• Suggest to clear the cache if running a command with --no-cache solves an issue (#​10585).
• Propose poetry init when trying poetry new for an existing directory (#​10563).
• Add support for poetry publish --skip-existing for new Nexus OSS versions (#​10603).
• Show Poetry's own Python's path in poetry debug info (#​10588).

Changed

• Drop support for Python 3.9 (#​10634).
• Change the default of installer.re-resolve from true to false (#​10622).
• PEP 735 dependency groups are considered in the lock file hash (#​10621).
• Deprecate poetry.utils._compat.metadata, which is sometimes used in plugins, in favor of importlib.metadata (#​10634).
• Improve managing free-threaded Python versions with poetry python (#​10606).
• Prefer JSON API to HTML API in legacy repositories (#​10672).
• When running poetry init, only add the readme field in the pyproject.toml if the readme file exists (#​10679).
• Raise an error if no hash can be determined for any distribution link of a package (#​10673).
• Require dulwich>=0.25.0 (#​10674).

Fixed

• Fix an issue where poetry remove did not work for PEP 735 dependency groups with include-group items (#​10587).
• Fix an issue where poetry remove caused dangling include-group references in PEP 735 dependency groups (#​10590).
• Fix an issue where poetry add did not work for PEP 735 dependency groups with include-group items (#​10636).
• Fix an issue where PEP 735 dependency groups were not considered in the lock file hash (#​10621).
• Fix an issue where wrong markers were locked for a dependency that was required by several groups with different markers (#​10613).
• Fix an issue where non-deterministic markers were created in a method used by poetry-plugin-export (#​10667).
• Fix an issue where wrong wheels were chosen for installation in free-threaded Python environments if Poetry itself was not installed with free-threaded Python (#​10614).
• Fix an issue where poetry publish used the metadata of the project instead of the metadata of the build artifact (#​10624).
• Fix an issue where poetry env use just used another Python version instead of failing when the requested version was not supported by the project (#​10685).
• Fix an issue where poetry env activate returned the wrong command for dash (#​10696).
• Fix an issue where data-dir and python.installation-dir could not be set (#​10595).
• Fix an issue where Python and pip executables were not correctly detected on Windows (#​10645).
• Fix an issue where invalid template variables in virtualenvs.prompt caused an incomprehensible error message (#​10648).

Docs

• Add a warning about ~/.netrc for Poetry credential configuration (#​10630).
• Clarify that the local configuration takes precedence over the global configuration (#​10676).
• Add an explanation in which cases packages are automatically detected (#​10680).

poetry-core (2.3.0)

• Normalize versions (#​893).
• Fix an issue where unsatisfiable requirements did not raise an error (#​891).
• Fix an issue where the implicit main group did not exist if it was explicitly declared as not having any dependencies (#​892).
• Fix an issue where python_full_version markers with pre-release versions were parsed incorrectly (#​893).

v2.2.1

Compare Source

Fixed

• Fix an issue where poetry self show failed with a message about an invalid output format (#​10560).

Docs

• Remove outdated statements about dependency groups (#​10561).

poetry-core (2.2.1)

• Fix an issue where it was not possible to declare a PEP 735 dependency group as optional (#​888).

v2.2.0

Compare Source

Added

• Add support for nesting dependency groups (#​10166).
• Add support for PEP 735 dependency groups (#​10130).
• Add support for PEP 639 license clarity (#​10413).
• Add a --format option to poetry show to alternatively output json format (#​10487).
• Add official support for Python 3.14 (#​10514).

Changed

• Normalize dependency group names (#​10387).
• Change installer.no-binary and installer.only-binary so that explicit package names will take precedence over :all: (#​10278).
• Improve log output during poetry install when a wheel is built from source (#​10404).
• Improve error message in case a file lock could not be acquired while cloning a git repository (#​10535).
• Require dulwich>=0.24.0 (#​10492).
• Allow virtualenv>=20.33 again (#​10506).
• Allow findpython>=0.7 (#​10510).
• Allow importlib-metadata>=8.7 (#​10511).

Fixed

• Fix an issue where poetry new did not create the project structure in an existing empty directory (#​10431).
• Fix an issue where a dependency that was required for a specific Python version was not installed into an environment of a pre-release Python version (#​10516).

poetry-core (2.2.0)

• Deprecate table values and values that are not valid SPDX expressions for [project.license] (#​870).
• Fix an issue where explicitly included files that are in .gitignore were not included in the distribution (#​874).
• Fix an issue where marker operations could result in invalid markers (#​875).

containerbase/python-prebuild (python)

v3.14.4

Compare Source

Bug Fixes

• deps: update dependency python to v3.14.4

v3.14.3

Compare Source

Bug Fixes

• deps: update dependency python to v3.14.3

v3.14.2

Compare Source

Bug Fixes

• deps: update dependency python to v3.14.2

v3.14.1

Compare Source

Bug Fixes

• deps: update dependency python to v3.14.1

v3.14.0

Compare Source

Bug Fixes

• deps: update dependency python to v3.14.0

python/cpython (python)

v3.14.4

Compare Source

v3.14.3

Compare Source

v3.14.2

Compare Source

v3.14.1

Compare Source

v3.14.0

Compare Source

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • "every weekday,after 9am and before 5pm"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock

The Poetry configuration is invalid:
  - Additional properties are not allowed ('package-mode' was unexpected)