Bump poetry from 2.3.3 to 2.4.0

[dependabot]

Bumps poetry from 2.3.3 to 2.4.0.

Release notes

Sourced from poetry's releases.

2.4.0

Added

• Add solver.min-release-age setting to require package releases to be a certain number of days old before they are considered during dependency resolution (#10824).
• Add solver.min-release-age-exclude to exclude selected packages from age filtering (#10824).
• Add solver.min-release-age-exclude-source to exclude all packages from selected package indexes from age filtering (#10824).

Changed

• Raise an error instead of silently ignoring a package name that is not a dependency when it is passed to poetry update (#10721).
• Automatically add a trailing slash to legacy repository URLs (used for publishing) if missing (#10785).
• Require installer>=1.0.0 (#10869).
• Allow findpython>=0.8 (#10874).

Fixed

• Fix an issue where requires-plugins fails on Windows if scheme paths are on different drives (#10869).
• Fix an issue where the order of markers in the lock file was not deterministic (#10720).
• Fix an issue where the wrong command was suggested when poetry self commands failed due to an outdated lock file (#10715).
• Fix an issue where poetry env activate did not work for bash on Windows (#10716).
• Fix an issue where poetry debug resolve failed when there was a package with a marker (#10807).
• Fix an issue where the error message about a build backend failure contained garbled --config-settings (#10804).
• Fix an issue where a false warning about a circular dependency was printed (#10811).
• Fix an issue where falsy config values were incorrectly treated as not set (#10808).
• Fix an issue where poetry publish --build ignored failing builds and uploaded stale artifacts (#10802).
• Fix an issue where poetry publish was aborted instead of retrying after package registration (#10801).
• Fix an issue where zip files were not closed after fetching metadata via lazy-wheel (#10800).
• Fix an issue where data fetched via lazy-wheel was corrupted when part of it had already been cached (#10806).
• Fix an issue where further packages were installed even though installation should be aborted (#10742).
• Fix an issue where installed packages without a METADATA file caused an exception on Python 3.15+ (#10860).
• Fix an issue where http-basic could not be set for repository names with periods (#10845).
• Fix an issue where calculating the hash of large wheels failed with a memory error (#10814).

Docs

• Clarify the precedence of configuration sources (#10757).
• Add a note about the influence of .gitignore on tool.poetry.packages (#10835).

poetry-core (2.4.0)

• Update vendored packaging to 26.2 (#936).

2.3.4

Fixed

• Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
• Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).

Changelog

Sourced from poetry's changelog.

[2.4.0] - 2026-05-03

Added

• Add solver.min-release-age setting to require package releases to be a certain number of days old before they are considered during dependency resolution (#10824).
• Add solver.min-release-age-exclude to exclude selected packages from age filtering (#10824).
• Add solver.min-release-age-exclude-source to exclude all packages from selected package indexes from age filtering (#10824).

Changed

• Raise an error instead of silently ignoring a package name that is not a dependency when it is passed to poetry update (#10721).
• Automatically add a trailing slash to legacy repository URLs (used for publishing) if missing (#10785).
• Require installer>=1.0.0 (#10869).
• Allow findpython>=0.8 (#10874).

Fixed

• Fix an issue where requires-plugins fails on Windows if scheme paths are on different drives (#10869).
• Fix an issue where the order of markers in the lock file was not deterministic (#10720).
• Fix an issue where the wrong command was suggested when poetry self commands failed due to an outdated lock file (#10715).
• Fix an issue where poetry env activate did not work for bash on Windows (#10716).
• Fix an issue where poetry debug resolve failed when there was a package with a marker (#10807).
• Fix an issue where the error message about a build backend failure contained garbled --config-settings (#10804).
• Fix an issue where a false warning about a circular dependency was printed (#10811).
• Fix an issue where falsy config values were incorrectly treated as not set (#10808).
• Fix an issue where poetry publish --build ignored failing builds and uploaded stale artifacts (#10802).
• Fix an issue where poetry publish was aborted instead of retrying after package registration (#10801).
• Fix an issue where zip files were not closed after fetching metadata via lazy-wheel (#10800).
• Fix an issue where data fetched via lazy-wheel was corrupted when part of it had already been cached (#10806).
• Fix an issue where further packages were installed even though installation should be aborted (#10742).
• Fix an issue where installed packages without a METADATA file caused an exception on Python 3.15+ (#10860).
• Fix an issue where http-basic could not be set for repository names with periods (#10845).
• Fix an issue where calculating the hash of large wheels failed with a memory error (#10814).

Docs

• Clarify the precedence of configuration sources (#10757).
• Add a note about the influence of .gitignore on tool.poetry.packages (#10835).

poetry-core (2.4.0)

• Update vendored packaging to 26.2 (#936).

[2.3.4] - 2026-04-12

Fixed

• Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
• Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).

Commits

• 3fc8b33 release: bump version to 2.4.0
• 6b100d5 chore: update dependencies (#10879)
• ca51dac feat: add a solver.min-release-age-exclude-source config option (#10824)
• 5b4307a feat: add a solver.min-release-age-exclude config option (#10824)
• c54c3b0 feat: add a solver.min-release-age config option (#10824)
• 56a5e38 deps: allow findpython 0.8 (#10874)
• f6e2bb5 dont sign commits in tests (#10873)
• d83f6c0 fix mis-named variable (#10872)
• 1213c05 simplify FileConfigSource.remove_property() (#10871)
• 812e2bc chore: sync node and vercel version with website repo (#10870)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #1633.