Hey folks. We have an SDK tap with a

poetry.lock

file locking the

singer-sdk

dependency to 0.3.8, and that lock file is committed to the repo. However, when we install the tap in our Meltano project (using a git repo link, if that matters), it ignores the lock file and uses 0.3.11. This happened to cause a breaking change. That’s not to say that there’s a breaking change in the sdk; we overrode

request_records

for a

RESTStream

, at our own risk. But I would have thought the lock file would have protected us from this. Is this a known issue, does

pip install

not know how to correctly install poetry apps? Or is there a setting we can add to our project files to fix this?

your pyproject.toml is also set to 0.3.8 right?

to

^0.3.7

. But I assume if poetry works similar to ruby bundler and npm, that the

^

only applies when doing

poetry update

pip only uses the

pyproject.toml

and ignores

poetry.lock

to resolve dependencies, so it installs any minor release equal or greater than

0.3.7

@edgar_ramirez_mondragon awesome! can you find the docs for this I was trying to find this to link to but you beat met o the answer 😄

So @julian_knight, in the case of the SDK, it's probably safest to pin the exact dependency in

pyproject.toml

, e.g.

singer-sdk = "0.3.8"

so pip always uses that version 😕 There's a few discussions going on in both the python and poetry communities around this topic: • Standardize around a lock file format: PEP 665 • Support building packages with pinned dependencies: https://github.com/python-poetry/poetry-core/pull/71

Thanks @edgar_ramirez_mondragon and @visch, that makes sense!

@julian_knight I think it should. I'm filing an issue as we chat 😅