Use of poetry install/update --dry-run as part of a workflow

[da1910]

As part of some of our workflows we need to verify that exact versions of approved packages are being bundled into binary objects, for licensing and security reasons.

Poetry lock files go a long way to making this easy, and certainly do a much better job than old-style requirements.txt files, however the nature of python's installation process means we will still need to run the equivalent of poetry install --dry-run in order to determine the exact packages that are used (with platform and python version specifics).

At the moment I'm using some of the innards of poetry to achieve this, using the solver directly and then handling the operations myself.

Is there utility in adding either a command line option to output the --dry-run results in a machine-readable format (maybe json?), or potentially to provide a library method to achieve the same thing?

[radoering]

Doesn't poetry show do what you want?

[da1910]

Currently I can get by with using subprocess to call poetry show and then parsing each line in the returned data. Having a json representation thereof would be an improvement for me.

[omriman12]

@radoering is poetry show machine readable?

btw poetry show requires a lock file. (Error: poetry.lock not found. Run poetry lock to create it.)

[radoering]

It's not designed to be machine readable but apparently it can be parsed.

btw poetry show requires a lock file. (Error: poetry.lock not found. Run poetry lock to create it.)

Yes, and the error message tells you how to create one.

[da1910]

This still feels like it's a hack, the output of poetry show has no API guarantees, so it's at the whim of someone deciding "We should add colors to this" or "Lets move the (!) to the start of the line."

The ask remains can we have a proper API for this which has compatibility guarantees?

[radoering]

It's definitely not one of my priorities but maybe another maintainer will be more intrigued. Feel free to create a feature request.