blog: announce Poetry 2.4.0

Author: radoering

content/blog/2026-05-03-announcing-poetry-2-4-0.md

@@ -0,0 +1,69 @@
+---
+layout: single
+title: "Announcing Poetry 2.4.0"
+date: 2026-05-03
+categories: [releases]
+tags: ["2.x", "2.4"]
+---
+
+The Poetry team is pleased to announce the immediate availability of Poetry **2.4.0**.
+
+<!--more-->
+
+If you have a previous version of Poetry installed via `pipx`,
+getting Poetry **2.4.0** is as easy as:
+
+```bash
+$ pipx upgrade poetry
+```
+
+If you used the [official installer](/docs/#installation), you can run:
+
+```bash
+$ poetry self update
+```
+
+## Highlights
+
+### Adding support for dependency cooldowns
+
+Poetry 2.4.0 introduces a new `solver.min-release-age` setting that lets you require
+package releases to be a certain number of days old before they are considered during
+dependency resolution.
+
+This can help protect against supply chain attacks where a compromised release is
+published and detected only hours or days later. For example, if you set
+`solver.min-release-age` to `7`, Poetry will only consider versions for which all known
+distribution files are at least seven days old.
+
+```bash
+poetry config solver.min-release-age 7
+```
+
+If you need newer releases for selected packages or sources, you can opt out of the
+filter with `solver.min-release-age-exclude` and `solver.min-release-age-exclude-source`:
+
+```bash
+poetry config solver.min-release-age-exclude "my-package,other-package"
+poetry config solver.min-release-age-exclude-source "internal-pypi,https://packages.example.com/simple/"
+```
+
+{{% note %}}
+This filter can only be enforced for package sources that expose file upload timestamps.
+If a source does not provide upload times for a release, that release is not filtered out
+by this setting.
+{{% /note %}}
+
+## Upcoming Changes
+
+### Defaulting to `setuptools` instead of `poetry-core` if no build system is defined
+
+Per [PEP 517](https://peps.python.org/pep-0517/), a build tool should fall back to `setuptools` if no build system is
+defined in the `[build-system]` section of `pyproject.toml`. However, to avoid immediate disruption, Poetry will
+currently issue a **warning** in such cases and continue using the built-in `poetry-core` backend by default.
+This behavior will change in a future minor release so that Poetry will default to `setuptools`
+if no `[build-system]` section is defined.
+
+## Changelog
+
+# TODO

content/history.md

@@ -4,6 +4,8 @@ layout: single
 title: History
 ---
 
+## TODO: 2.4.0
+
 ## [2.3.4] - 2026-04-12
 
 ### Fixed
@@ -2580,7 +2582,8 @@ This release **must** be downloaded via the `get-poetry.py` script and not via t
 
 Initial release
 
-[Unreleased]: https://github.com/python-poetry/poetry/compare/2.3.4...main
+[Unreleased]: https://github.com/python-poetry/poetry/compare/2.4.0...main
+[2.4.0]: https://github.com/python-poetry/poetry/releases/tag/2.4.0
 [2.3.4]: https://github.com/python-poetry/poetry/releases/tag/2.3.4
 [2.3.3]: https://github.com/python-poetry/poetry/releases/tag/2.3.3
 [2.3.2]: https://github.com/python-poetry/poetry/releases/tag/2.3.2

pyproject.toml

@@ -66,7 +66,7 @@ tags = "/blog/tag/:title/"
 description = "Python dependency management and packaging made easy"
 
 [tool.website.config.params.documentation]
-defaultVersion = "2.3"
+defaultVersion = "2.3"  # TODO
 
 [tool.website.config.markup.goldmark.renderer]
 unsafe = true
@@ -75,7 +75,7 @@ unsafe = true
 keepWhitespace = true
 
 [tool.website.versions]
-"2.3" = "2.3"
+"2.3" = "2.3"  # TODO
 "1.8" = "1.8"
 
 [build-system]