Bump poetry from 2.3.2 to 2.3.3

[dependabot]

Bumps poetry from 2.3.2 to 2.3.3.

Release notes

Sourced from poetry's releases.

2.3.3

Fixed

• Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
• Fix an issue where git dependencies from annotated tags could not be updated (#10719).
• Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
• Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
• Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
• Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
• Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

• Clarify the differences between poetry install and poetry update (#10713).
• Clarify the section of fields in the pyproject.toml examples (#10753).
• Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
• Fix the system requirements for Poetry (#10739).
• Fix the poetry cache clear example (#10749).
• Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

• Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
• Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
• Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
• Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
• Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
• Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
• Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
• Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
• Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
• Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).

Changelog

Sourced from poetry's changelog.

[2.3.3] - 2026-03-29

Fixed

• Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
• Fix an issue where git dependencies from annotated tags could not be updated (#10719).
• Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
• Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
• Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
• Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
• Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

• Clarify the differences between poetry install and poetry update (#10713).
• Clarify the section of fields in the pyproject.toml examples (#10753).
• Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
• Fix the system requirements for Poetry (#10739).
• Fix the poetry cache clear example (#10749).
• Fix the link to pipx installation instructions (#10783).

Commits

• 3d0151a release: bump version to 2.3.3
• 89f09aa fix long path issue on Windows (#10794)
• e068177 installer: fix path traversal (#10792)
• d76a2f6 chore: require new poetry-core version (#10790)
• 859d443 Update init & new commands for PEP 639 (License) (#10787)
• 2ff2845 fix: pass auth via Request constructor instead of calling HTTPBasicAuth on un...
• 286e43b env: improve error handling if .venv is not a directory but a file (#10777)
• d6e72c9 Fix publish --build prompt behavior in non-interactive mode (#10769)
• 9fced1a fix(env): treat empty VIRTUAL_ENV/CONDA_PREFIX as unset (#10784)
• 9688382 docs: fix pipx install directions link (#10783)
• Additional commits viewable in compare view

[nettoclaudio]

Hi @edmorley, could you please take a look on this PR? I need to get Poetry 2.3.3 out ASAP, as some of my apps are crashing due to the issue addressed in python-poetry/poetry-core#930.

[edmorley]

@nettoclaudio Hi! I can take a look at this tomorrow. Though I'm puzzled, the linked issue references Debian Trixie, but Heroku runs on Ubuntu. Is this affecting a Heroku app, or another platform using this buildpack? Either way, could you paste some logs so I can understand better? :-)

[edmorley]

Heroku runs on Ubuntu

And specifically this CNB has ubuntu in its target requirements (so this buildpack would fail to run on a different distro build image, such as Debian Trixie, unless modified):

buildpacks-python/buildpack.toml

Lines 14 to 32 in 722b55d

	[[targets]]
	os = "linux"
	arch = "amd64"
	[[targets.distros]]
	name = "ubuntu"
	version = "22.04"
	[[targets.distros]]
	name = "ubuntu"
	version = "24.04"
	[[targets]]
	os = "linux"
	arch = "arm64"
	[[targets.distros]]
	name = "ubuntu"
	version = "24.04"

[nettoclaudio]

Hi @edmorley, thanks for jumping in so quickly.

Though I'm puzzled, the linked issue references Debian Trixie, but Heroku runs on Ubuntu. Is this affecting a Heroku app, or another platform using this buildpack?

This issue depends on the host kernel version, which may not follow the PEP440 versioning format. It's not limited to Debian Trixie, actually it was only mentioned because the original reporter was using it.

AFAIU depending on the app dependencies managed by Poetry, some may use a platform_release constraint to match it against the host kernel version, and that's where this error occurs.

Either way, could you paste some logs so I can understand better? :-)

Of course, below is the most relevant part of the app build logs related to the error:

       [Determining Python version]
       Using Python version 3.11 specified in .python-version
       
       [Installing Python]
       Installing Python 3.11.15
       
       [Installing Poetry]
       Installing Poetry 2.3.2
       
       [Installing dependencies using Poetry]
       Creating virtual environment
       Running 'poetry sync --only main'
       Installing dependencies from lock file
       
       Could not parse version constraint: 6.12.68-92.122.amzn2023.x86_64
       
       [Error: Unable to install dependencies using Poetry]
       The 'poetry sync --only main' command to install the app's
       dependencies failed (exit status: 1).
       
       See the log output above for more information.

My host info is:

cnb@my-builder-pod:/layers$ uname -a
Linux my-builder-pod 6.12.68-92.122.amzn2023.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Feb  9 10:43:10 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux

[edmorley]

@dependabot rebase