|
| 1 | +--- |
| 2 | +layout: single |
| 3 | +title: "Announcing Poetry 2.4.0" |
| 4 | +date: 2026-05-03 |
| 5 | +categories: [releases] |
| 6 | +tags: ["2.x", "2.4"] |
| 7 | +--- |
| 8 | + |
| 9 | +The Poetry team is pleased to announce the immediate availability of Poetry **2.4.0**. |
| 10 | + |
| 11 | +<!--more--> |
| 12 | + |
| 13 | +If you have a previous version of Poetry installed via `pipx`, |
| 14 | +getting Poetry **2.4.0** is as easy as: |
| 15 | + |
| 16 | +```bash |
| 17 | +$ pipx upgrade poetry |
| 18 | +``` |
| 19 | + |
| 20 | +If you used the [official installer](/docs/#installation), you can run: |
| 21 | + |
| 22 | +```bash |
| 23 | +$ poetry self update |
| 24 | +``` |
| 25 | + |
| 26 | +## Highlights |
| 27 | + |
| 28 | +### Adding support for dependency cooldowns |
| 29 | + |
| 30 | +Poetry 2.4.0 introduces a new `solver.min-release-age` setting that lets you require |
| 31 | +package releases to be a certain number of days old before they are considered during |
| 32 | +dependency resolution. |
| 33 | + |
| 34 | +This can help protect against supply chain attacks where a compromised release is |
| 35 | +published and detected only hours or days later. For example, if you set |
| 36 | +`solver.min-release-age` to `7`, Poetry will only consider versions for which all known |
| 37 | +distribution files are at least seven days old. |
| 38 | + |
| 39 | +```bash |
| 40 | +poetry config solver.min-release-age 7 |
| 41 | +``` |
| 42 | + |
| 43 | +If you need newer releases for selected packages or sources, you can opt out of the |
| 44 | +filter with `solver.min-release-age-exclude` and `solver.min-release-age-exclude-source`: |
| 45 | + |
| 46 | +```bash |
| 47 | +poetry config solver.min-release-age-exclude "my-package,other-package" |
| 48 | +poetry config solver.min-release-age-exclude-source "internal-pypi,https://packages.example.com/simple/" |
| 49 | +``` |
| 50 | + |
| 51 | +{{% note %}} |
| 52 | +This filter can only be enforced for package sources that expose file upload timestamps. |
| 53 | +If a source does not provide upload times for a release, that release is not filtered out |
| 54 | +by this setting. |
| 55 | +{{% /note %}} |
| 56 | + |
| 57 | +## Upcoming Changes |
| 58 | + |
| 59 | +### Defaulting to `setuptools` instead of `poetry-core` if no build system is defined |
| 60 | + |
| 61 | +Per [PEP 517](https://peps.python.org/pep-0517/), a build tool should fall back to `setuptools` if no build system is |
| 62 | +defined in the `[build-system]` section of `pyproject.toml`. However, to avoid immediate disruption, Poetry will |
| 63 | +currently issue a **warning** in such cases and continue using the built-in `poetry-core` backend by default. |
| 64 | +This behavior will change in a future minor release so that Poetry will default to `setuptools` |
| 65 | +if no `[build-system]` section is defined. |
| 66 | + |
| 67 | +## Changelog |
| 68 | + |
| 69 | +### Added |
| 70 | + |
| 71 | +- Add `solver.min-release-age` setting to require package releases to be a certain number of days old before they are considered during dependency resolution ([#10824](https://github.com/python-poetry/poetry/pull/10824)). |
| 72 | +- Add `solver.min-release-age-exclude` to exclude selected packages from age filtering ([#10824](https://github.com/python-poetry/poetry/pull/10824)). |
| 73 | +- Add `solver.min-release-age-exclude-source` to exclude all packages from selected package indexes from age filtering ([#10824](https://github.com/python-poetry/poetry/pull/10824)). |
| 74 | + |
| 75 | +### Changed |
| 76 | + |
| 77 | +- Raise an error instead of silently ignoring a package name that is not a dependency when it is passed to `poetry update` ([#10721](https://github.com/python-poetry/poetry/pull/10721)). |
| 78 | +- Automatically add a trailing slash to legacy repository URLs (used for publishing) if missing ([#10785](https://github.com/python-poetry/poetry/pull/10785)). |
| 79 | +- Require `installer>=1.0.0` ([#10869](https://github.com/python-poetry/poetry/pull/10869)). |
| 80 | +- Allow `findpython>=0.8` ([#10874](https://github.com/python-poetry/poetry/pull/10874)). |
| 81 | + |
| 82 | +### Fixed |
| 83 | + |
| 84 | +- Fix an issue where `requires-plugins` fails on Windows if scheme paths are on different drives ([#10869](https://github.com/python-poetry/poetry/pull/10869)). |
| 85 | +- Fix an issue where the order of markers in the lock file was not deterministic ([#10720](https://github.com/python-poetry/poetry/pull/10720)). |
| 86 | +- Fix an issue where the wrong command was suggested when `poetry self` commands failed due to an outdated lock file ([#10715](https://github.com/python-poetry/poetry/pull/10715)). |
| 87 | +- Fix an issue where `poetry env activate` did not work for bash on Windows ([#10716](https://github.com/python-poetry/poetry/pull/10716)). |
| 88 | +- Fix an issue where `poetry debug resolve` failed when there was a package with a marker ([#10807](https://github.com/python-poetry/poetry/pull/10807)). |
| 89 | +- Fix an issue where the error message about a build backend failure contained garbled `--config-settings` ([#10804](https://github.com/python-poetry/poetry/pull/10804)). |
| 90 | +- Fix an issue where a false warning about a circular dependency was printed ([#10811](https://github.com/python-poetry/poetry/pull/10811)). |
| 91 | +- Fix an issue where falsy config values were incorrectly treated as not set ([#10808](https://github.com/python-poetry/poetry/pull/10808)). |
| 92 | +- Fix an issue where `poetry publish --build` ignored failing builds and uploaded stale artifacts ([#10802](https://github.com/python-poetry/poetry/pull/10802)). |
| 93 | +- Fix an issue where `poetry publish` was aborted instead of retrying after package registration ([#10801](https://github.com/python-poetry/poetry/pull/10801)). |
| 94 | +- Fix an issue where zip files were not closed after fetching metadata via `lazy-wheel` ([#10800](https://github.com/python-poetry/poetry/pull/10800)). |
| 95 | +- Fix an issue where data fetched via `lazy-wheel` was corrupted when part of it had already been cached ([#10806](https://github.com/python-poetry/poetry/pull/10806)). |
| 96 | +- Fix an issue where further packages were installed even though installation should be aborted ([#10742](https://github.com/python-poetry/poetry/pull/10742)). |
| 97 | +- Fix an issue where installed packages without a `METADATA` file caused an exception on Python 3.15+ ([#10860](https://github.com/python-poetry/poetry/pull/10860)). |
| 98 | +- Fix an issue where `http-basic` could not be set for repository names with periods ([#10845](https://github.com/python-poetry/poetry/pull/10845)). |
| 99 | +- Fix an issue where calculating the hash of large wheels failed with a memory error ([#10814](https://github.com/python-poetry/poetry/pull/10814)). |
| 100 | + |
| 101 | +### Docs |
| 102 | + |
| 103 | +- Clarify the precedence of configuration sources ([#10757](https://github.com/python-poetry/poetry/pull/10757)). |
| 104 | +- Add a note about the influence of `.gitignore` on `tool.poetry.packages` ([#10835](https://github.com/python-poetry/poetry/pull/10835)). |
| 105 | + |
| 106 | +### poetry-core ([`2.4.0`](https://github.com/python-poetry/poetry-core/releases/tag/2.4.0)) |
| 107 | + |
| 108 | +- Update vendored `packaging` to `26.2` ([#936](https://github.com/python-poetry/poetry-core/pull/936)). |
0 commit comments