build(deps): bump poetry from 2.2.1 to 2.3.3

[dependabot]

Bumps poetry from 2.2.1 to 2.3.3.

Release notes

Sourced from poetry's releases.

2.3.3

Fixed

• Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
• Fix an issue where git dependencies from annotated tags could not be updated (#10719).
• Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
• Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
• Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
• Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
• Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

• Clarify the differences between poetry install and poetry update (#10713).
• Clarify the section of fields in the pyproject.toml examples (#10753).
• Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
• Fix the system requirements for Poetry (#10739).
• Fix the poetry cache clear example (#10749).
• Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

• Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
• Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
• Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
• Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
• Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
• Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
• Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
• Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
• Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
• Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).

2.3.2

Changed

• Allow dulwich>=1.0 (#10701).

poetry-core (2.3.1)

• Fix an issue where platform_release could not be parsed on Windows Server (#911).

2.3.1

Fixed

• Fix an issue where cached information about each package was always considered outdated (#10699).

Docs

• Document SHELL_VERBOSITY environment variable (#10678).

... (truncated)

Changelog

Sourced from poetry's changelog.

[2.3.3] - 2026-03-29

Fixed

• Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
• Fix an issue where git dependencies from annotated tags could not be updated (#10719).
• Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
• Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
• Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
• Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
• Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

• Clarify the differences between poetry install and poetry update (#10713).
• Clarify the section of fields in the pyproject.toml examples (#10753).
• Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
• Fix the system requirements for Poetry (#10739).
• Fix the poetry cache clear example (#10749).
• Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

• Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
• Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
• Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
• Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
• Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
• Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
• Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
• Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
• Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
• Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).

[2.3.2] - 2026-02-01

Changed

• Allow dulwich>=1.0 (#10701).

poetry-core (2.3.1)

• Fix an issue where platform_release could not be parsed on Windows Server (#911).

[2.3.1] - 2026-01-20

Fixed

... (truncated)

Commits

• 3d0151a release: bump version to 2.3.3
• 89f09aa fix long path issue on Windows (#10794)
• e068177 installer: fix path traversal (#10792)
• d76a2f6 chore: require new poetry-core version (#10790)
• 859d443 Update init & new commands for PEP 639 (License) (#10787)
• 2ff2845 fix: pass auth via Request constructor instead of calling HTTPBasicAuth on un...
• 286e43b env: improve error handling if .venv is not a directory but a file (#10777)
• d6e72c9 Fix publish --build prompt behavior in non-interactive mode (#10769)
• 9fced1a fix(env): treat empty VIRTUAL_ENV/CONDA_PREFIX as unset (#10784)
• 9688382 docs: fix pipx install directions link (#10783)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Low Risk
Low risk: a single dependency pin update for the build toolchain, with no application/runtime code changes.

Overview
Bumps the poetry version in requirements-poetry.txt from 2.2.1 to 2.3.3, keeping the repo’s Poetry tooling in sync with Dependabot’s expected version.

^{Written by Cursor Bugbot for commit a413963. This will update automatically on new commits. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying how Poetry is pinned in this repo and whether the change matches the official release.

Verdict: benign

Why this looks safe

• Identity & source: The bump pins the real Poetry project (python-poetry/poetry) on PyPI, not a typosquat. The release notes and tagged commits you listed match a normal maintenance release (including a documented wheel-installer path-traversal fix in #10792).

• Scanner vs. interpretation: The malware report shows 0 unicode, confusable, and IOC hits. The 117 heuristic hits are almost entirely shell_process_spawn on subprocess in upstream test code (e.g. tests/utils/env/test_env.py)—expected for a tool that shells out to Python/git and mocks subprocess in tests. That is heuristic noise, not malware; the report even says warn with warn_only: true.

• Checklist: No evidence here of base64/eval exfiltration, hidden Unicode in reviewed scope, odd new install scripts on this repo’s pin (your pin is a single line poetry==2.3.3 in requirements-poetry.txt), or lockfile integrity anomalies called out by the scanner as errors (the JSON shows "errors": []).

• Scope note: The large “changed files” list reflects scanning the upstream Poetry repo between tags, not necessarily every file in a small Chia Dependabot diff. For merge confidence, still rely on CI (install + poetry check / lockfile) as usual.

Actionable takeaway: Treat this as a legitimate security and bugfix upgrade; the scanner does not contradict that—the heuristics align with normal Poetry test patterns, not supply-chain compromise.

Compatibility Analysis

Tracing where Poetry is pinned and used in the repo and assessing compatibility with 2.3.3.

1) Where Poetry appears

Location	Role
requirements-poetry.txt	Pins poetry + poetry-dynamic-versioning[plugin] + poetry-plugin-export (comment says to keep in sync with Dependabot).
setup-poetry.sh / Setup-poetry.ps1	pip install -r requirements-poetry.txt into .penv.
install.sh (via .github/actions/install)	setup-poetry.sh, then .penv/bin/poetry env use and .penv/bin/poetry sync.
poetry-check.py + .pre-commit-config.yaml	poetry check --strict and poetry lock when lock/pyproject change.
activated.py	--poetry uses .penv (Poetry env), separate from .venv.
pyproject.toml	[tool.poetry] metadata/deps; [build-system] uses poetry-core>=1.0.0 and poetry_dynamic_versioning.backend (not the Poetry CLI).
CI	chia-network/actions/cache-pip with mode: poetry; check_wheel_availability runs setup-poetry.sh; upload-pypi-source.yml runs poetry check; reflow-version.yml installs Poetry via pip and runs poetry version -s (not necessarily the same pin as requirements-poetry.txt).

Poetry is used as a CLI and lockfile tool, not as an imported Python package in application code.

2) Overlap with 2.3.x changes

Release notes emphasize bugfixes (wheel installer path traversal, env detection, HTTP basic auth, poetry publish non-interactive, etc.) and poetry-core resolver/metadata fixes.

• Direct API risk: Low. Nothing in this repo calls Poetry’s Python APIs.
• CLI you rely on: check, lock, sync, env use, version — unchanged in spirit; 2.3.x is still the same major as 2.2.x.
• Likely touch points: Any path that installs wheels (poetry sync) benefits from the wheel installer fix. poetry lock could produce a different diff after upgrade because poetry-core’s constraint handling is stricter/more correct — that’s lockfile churn, not an app runtime break.
• reflow-version.yml: Uses an unpinned pip install poetry; behavior may drift from .penv — pre-existing inconsistency, not introduced by this bump alone.

3) Risks / unknowns

• Plugins: poetry-dynamic-versioning and poetry-plugin-export should be checked against Poetry 2.3.x; issues are uncommon but possible.
• Regenerating poetry.lock: Resolver fixes may change pins or ordering; worth a one-off check if someone runs poetry lock on main after merge.
• Private index / long-lived tokens: HTTP auth fix is relevant if you use basic auth against pypi.chia.net or similar with very long tokens.

4) Recommendation

Merge — tooling-only bump on the 2.x line, includes an important wheel installer security fix, and usage here is standard CLI/lock workflows with no embedded Poetry APIs.

Caveat: Rely on green CI (especially install + pre-commit poetry hook). If poetry lock is run intentionally later, expect possible lockfile diffs from poetry-core fixes, not necessarily application bugs.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 181
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: b9e5d79fc57de2f2e60973019d56662b7398440b..3d0151ac03b5286e557ed1518b815ad225d52cb0
• Resolved refs: from=b9e5d79fc57de2f2e60973019d56662b7398440b to=3d0151ac03b5286e557ed1518b815ad225d52cb0
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 117

Top findings

• tests/utils/env/test_env.py:5 shell_process_spawn :: import subprocess
• tests/utils/env/test_env.py:146 shell_process_spawn :: mocker.patch("subprocess.check_output", side_effect=KeyboardInterrupt())
• tests/utils/env/test_env.py:149 shell_process_spawn :: subprocess.check_output.assert_called_once() # type: ignore[attr-defined]
• tests/utils/env/test_env.py:155 shell_process_spawn :: mocker.patch("subprocess.check_call", side_effect=KeyboardInterrupt())
• tests/utils/env/test_env.py:159 shell_process_spawn :: subprocess.check_call.assert_called_once() # type: ignore[attr-defined]
• tests/utils/env/test_env.py:166 shell_process_spawn :: "subprocess.check_output",
• tests/utils/env/test_env.py:167 shell_process_spawn :: side_effect=subprocess.CalledProcessError(
• tests/utils/env/test_env.py:173 shell_process_spawn :: subprocess.check_output.assert_called_once() # type: ignore[attr-defined]
• tests/utils/env/test_env.py:182 shell_process_spawn :: "subprocess.check_call",
• tests/utils/env/test_env.py:183 shell_process_spawn :: side_effect=subprocess.CalledProcessError(
• tests/utils/env/test_env.py:190 shell_process_spawn :: subprocess.check_call.assert_called_once() # type: ignore[attr-defined]
• tests/utils/env/test_env.py:199 shell_process_spawn :: "subprocess.check_output",
• tests/utils/env/test_env.py:200 shell_process_spawn :: side_effect=subprocess.CalledProcessError(
• tests/utils/env/test_env.py:206 shell_process_spawn :: subprocess.check_output.assert_called_once() # type: ignore[attr-defined]
• tests/utils/env/test_env.py:242 shell_process_spawn :: "subprocess.run",
• tests/utils/env/test_env.py:243 shell_process_spawn :: side_effect=subprocess.CalledProcessError(
• tests/utils/env/python/test_python_installer.py:3 shell_process_spawn :: from subprocess import CalledProcessError
• tests/utils/env/test_env_manager.py:574 shell_process_spawn :: "subprocess.check_output",
• tests/utils/env/test_env_manager.py:621 shell_process_spawn :: "subprocess.check_output",
• tests/utils/env/test_env_manager.py:691 shell_process_spawn :: "subprocess.check_output",

[emlowe]

poetry is updated in lockstep with dependabot - which is still at 2.2.1 - closing

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.