Skip to content

Bump poetry from 2.3.3 to 2.3.4#553

Merged
edmorley merged 2 commits intomainfrom
dependabot/pip/poetry-2.3.4
Apr 13, 2026
Merged

Bump poetry from 2.3.3 to 2.3.4#553
edmorley merged 2 commits intomainfrom
dependabot/pip/poetry-2.3.4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 13, 2026

Bumps poetry from 2.3.3 to 2.3.4.

Release notes

Sourced from poetry's releases.

2.3.4

Fixed

  • Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
  • Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).
Changelog

Sourced from poetry's changelog.

[2.3.4] - 2026-04-12

Fixed

  • Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
  • Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).
Commits
  • 7c7af71 release: bump version to 2.3.4
  • e512e7f fix: refuse to write files outside the target directory during sdist extracti...
  • 506c09d perf: use os.path.abspath() instead of Path.resolve() (#10821)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump poetry from 2.3.3 to 2.3.4
7f4b8d6 
Bumps [poetry](https://github.com/python-poetry/poetry) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/python-poetry/poetry/releases)
- [Changelog](https://github.com/python-poetry/poetry/blob/main/CHANGELOG.md)
- [Commits](python-poetry/poetry@2.3.3...2.3.4)

---
updated-dependencies:
- dependency-name: poetry
  dependency-version: 2.3.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Dependabot PRs that update Python dependencies labels Apr 13, 2026
@dependabot dependabot Bot requested a review from edmorley as a code owner April 13, 2026 11:02
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Dependabot PRs that update Python dependencies labels Apr 13, 2026
@edmorley edmorley enabled auto-merge (squash) April 13, 2026 11:05
@edmorley edmorley merged commit 687adb9 into main Apr 13, 2026
8 checks passed
@edmorley edmorley deleted the dependabot/pip/poetry-2.3.4 branch April 13, 2026 11:08
heroku-linguist Bot added a commit that referenced this pull request Apr 13, 2026
@heroku-linguist
Prepare release v6.4.1
66e8f26 
## heroku/python

### Changed

- Updated Poetry from 2.3.3 to 2.3.4. ([#553](#553))
- Updated uv from 0.11.3 to 0.11.6. ([#552](#552))
@heroku-linguist heroku-linguist Bot mentioned this pull request Apr 13, 2026
Merged
heroku-linguist Bot added a commit to heroku/cnb-builder-images that referenced this pull request Apr 13, 2026
@heroku-linguist
Update heroku/buildpacks-python to v6.4.1
13da043 
## heroku/python

### Changed

- Updated Poetry from 2.3.3 to 2.3.4. ([#553](heroku/buildpacks-python#553))
- Updated uv from 0.11.3 to 0.11.6. ([#552](heroku/buildpacks-python#552))
@heroku-linguist heroku-linguist Bot mentioned this pull request Apr 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edmorley edmorley edmorley approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Dependabot PRs that update Python dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@edmorley