Sourced from poetry's releases.

2.3.3

Fixed

• Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
• Fix an issue where git dependencies from annotated tags could not be updated (#10719).
• Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
• Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
• Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
• Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
• Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

• Clarify the differences between poetry install and poetry update (#10713).
• Clarify the section of fields in the pyproject.toml examples (#10753).
• Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
• Fix the system requirements for Poetry (#10739).
• Fix the poetry cache clear example (#10749).
• Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

• Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
• Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
• Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
• Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
• Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
• Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
• Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
• Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
• Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
• Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).

2.3.2

Changed

• Allow dulwich>=1.0 (#10701).

poetry-core (2.3.1)

• Fix an issue where platform_release could not be parsed on Windows Server (#911).

2.3.1

Fixed

• Fix an issue where cached information about each package was always considered outdated (#10699).

Docs

• Document SHELL_VERBOSITY environment variable (#10678).

... (truncated)

Sourced from poetry's changelog.

[2.3.3] - 2026-03-29

Fixed

• Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
• Fix an issue where git dependencies from annotated tags could not be updated (#10719).
• Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
• Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
• Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
• Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
• Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

• Clarify the differences between poetry install and poetry update (#10713).
• Clarify the section of fields in the pyproject.toml examples (#10753).
• Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
• Fix the system requirements for Poetry (#10739).
• Fix the poetry cache clear example (#10749).
• Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

• Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
• Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
• Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
• Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
• Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
• Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
• Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
• Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
• Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
• Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).

[2.3.2] - 2026-02-01

Changed

• Allow dulwich>=1.0 (#10701).

poetry-core (2.3.1)

• Fix an issue where platform_release could not be parsed on Windows Server (#911).

[2.3.1] - 2026-01-20

Fixed

... (truncated)

• 3d0151a release: bump version to 2.3.3
• 89f09aa fix long path issue on Windows (#10794)
• e068177 installer: fix path traversal (#10792)
• d76a2f6 chore: require new poetry-core version (#10790)
• 859d443 Update init & new commands for PEP 639 (License) (#10787)
• 2ff2845 fix: pass auth via Request constructor instead of calling HTTPBasicAuth on un...
• 286e43b env: improve error handling if .venv is not a directory but a file (#10777)
• d6e72c9 Fix publish --build prompt behavior in non-interactive mode (#10769)
• 9fced1a fix(env): treat empty VIRTUAL_ENV/CONDA_PREFIX as unset (#10784)
• 9688382 docs: fix pipx install directions link (#10783)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)