build(deps): bump poetry from 2.2.1 to 2.3.4

[dependabot]

Bumps poetry from 2.2.1 to 2.3.4.

Release notes

Sourced from poetry's releases.

2.3.4

Fixed

• Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
• Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).

2.3.3

Fixed

• Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
• Fix an issue where git dependencies from annotated tags could not be updated (#10719).
• Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
• Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
• Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
• Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
• Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

• Clarify the differences between poetry install and poetry update (#10713).
• Clarify the section of fields in the pyproject.toml examples (#10753).
• Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
• Fix the system requirements for Poetry (#10739).
• Fix the poetry cache clear example (#10749).
• Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

• Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
• Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
• Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
• Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
• Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
• Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
• Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
• Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
• Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
• Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).

2.3.2

Changed

• Allow dulwich>=1.0 (#10701).

poetry-core (2.3.1)

• Fix an issue where platform_release could not be parsed on Windows Server (#911).

2.3.1

Fixed

... (truncated)

Changelog

Sourced from poetry's changelog.

[2.3.4] - 2026-04-12

Fixed

• Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
• Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).

[2.3.3] - 2026-03-29

Fixed

• Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
• Fix an issue where git dependencies from annotated tags could not be updated (#10719).
• Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
• Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
• Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
• Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
• Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

• Clarify the differences between poetry install and poetry update (#10713).
• Clarify the section of fields in the pyproject.toml examples (#10753).
• Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
• Fix the system requirements for Poetry (#10739).
• Fix the poetry cache clear example (#10749).
• Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

• Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
• Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
• Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
• Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
• Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
• Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
• Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
• Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
• Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
• Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).

[2.3.2] - 2026-02-01

Changed

• Allow dulwich>=1.0 (#10701).

poetry-core (2.3.1)

... (truncated)

Commits

• 7c7af71 release: bump version to 2.3.4
• e512e7f fix: refuse to write files outside the target directory during sdist extracti...
• 506c09d perf: use os.path.abspath() instead of Path.resolve() (#10821)
• 3d0151a release: bump version to 2.3.3
• 89f09aa fix long path issue on Windows (#10794)
• e068177 installer: fix path traversal (#10792)
• d76a2f6 chore: require new poetry-core version (#10790)
• 859d443 Update init & new commands for PEP 639 (License) (#10787)
• 2ff2845 fix: pass auth via Request constructor instead of calling HTTPBasicAuth on un...
• 286e43b env: improve error handling if .venv is not a directory but a file (#10777)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk version bump limited to build tooling, though it may slightly change lock/export behavior in CI and local dev environments.

Overview
Bumps the pinned Poetry version in requirements-poetry.txt from 2.2.1 to 2.3.4 to keep the repo’s Poetry tooling in sync with Dependabot.

^{Reviewed by Cursor Bugbot for commit d3a6bea. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Checking how Poetry is pinned in this repository to ground the review.

Verdict: benign

Why this looks safe

• Identity / typosquatting: The dependency is the real Poetry project (python-poetry/poetry), not a name-squat substitute.
• Version / integrity: 2.2.1 → 2.3.4 is a normal minor-line upgrade on Poetry 2.x, with public release notes and linked PRs (e.g. #10792, #10837) describing security fixes—consistent with a legitimate release, not a “ghost” version.
• Classic obfuscation / exfiltration: Nothing in your materials points to encoded payloads, odd hosts, persistence paths, or credential theft; the highlighted upstream edits match installer/auth/env fixes described in the changelog.
• Invisible Unicode / Trojan Source: The scanner reports 0 unicode, 0 confusable, and 0 IOC findings after allowlists—so there is no scanner-backed signal for GlassWorm-style hidden characters.
• Heuristic “warn” vs. real risk: The 116 heuristic hits are subprocess / shell-spawn patterns in Poetry’s own tests (e.g. tests/utils/env/test_env.py), which is expected for a tool that shells out to git/python. That is noise, not malware; the scan’s warn status in warn-only mode does not contradict a benign conclusion.
• Dependabot scope: The long list of changed files is the upstream Poetry repo diff between tags (181 files), which is typical for a Poetry release. For your PR, still confirm the diff only bumps the Poetry pin/install you intend (e.g. CI/bootstrap)—that’s good hygiene, not a compromise signal.

Actionable note: Prefer merging 2.3.4 (or newer) over stopping at 2.3.3, since 2.3.4 fixes a regression introduced in 2.3.3 and adds the sdist path-traversal fix per the release notes you quoted.

Compatibility Analysis

Searching the repository for Poetry usage and scanning for compatibility concerns.

1) Where poetry is used in this repo

Area	Role
requirements-poetry.txt	Pins poetry plus poetry-dynamic-versioning[plugin] and poetry-plugin-export.
setup-poetry.sh / Setup-poetry.ps1	pip install -r requirements-poetry.txt into .penv.
install.sh / Install.ps1	poetry env use and poetry sync (main install path).
install-timelord.sh	poetry show for chiavdf.
pyproject.toml	Poetry project layout ([tool.poetry], deps, supplemental index).
poetry-check.py + .pre-commit-config.yaml	poetry check --strict then poetry lock via activated.py --poetry.
.github/workflows/upload-pypi-source.yml	poetry check.
.github/workflows/reflow-version.yml	pip install poetry (unpinned) and poetry version -s.
Other workflows	References to poetry.lock, setup-poetry / mode: poetry in installer/test flows.

There are no import poetry usages in Chia application code (only under .upstream-dependency, the Poetry source tree). Runtime behavior of the node/wallet does not depend on the Poetry package.

---

2) Overlap with 2.2.1 → 2.3.4 changes

• CLI surface you use (sync, check, version, show, env use) stays the same in spirit; the release notes emphasize installer security, wheel perf, env detection, HTTP auth, git tag updates, and poetry-core parsing/resolution fixes—not a removed public CLI.
• Meaningful intersection: poetry lock (including in poetry-check.py). Updated poetry-core can change how markers, !=, groups, and related constraints resolve, so the next lock refresh may produce a real poetry.lock diff even if pyproject.toml is unchanged. That is the main “API-adjacent” touchpoint for this repo.
• poetry sync against an existing lock is usually stable; risk rises when the lock is regenerated.

---

3) Risks / unknowns

• Lock churn: First poetry lock (e.g. from pre-commit) might be noisier or conflict with review expectations; worth a quick eye on CI/pre-commit after merge.
• Plugins: poetry-dynamic-versioning and poetry-plugin-export are not pinned to exact versions in requirements-poetry.txt (only poetry==…). They generally track Poetry 2.x, but any incompatibility would show up at install or plugin load time.
• Drift: reflow-version.yml installs poetry without the same pin as requirements-poetry.txt, so that job can use a different Poetry than local/CI install scripts unless someone aligns it.
• Security notes (sdist / wheel path traversal): Relevant to Poetry’s install path when handling malicious packages; upgrading reduces that tooling risk for dev/CI.

---

4) Recommendation

Merge-with-caveats: Approve/merge once CI is green, with the expectation that regenerating the lockfile may show poetry-core–driven diffs and that plugin install should be smoke-tested. Optionally align reflow-version.yml with the pinned Poetry version in a follow-up for consistency.

If CI fails only on lock or plugin resolution, treat that as fix-forward (adjust pins or lockfile) rather than blocking the upgrade indefinitely—the 2.3.x security and installer fixes are a strong reason to stay current on the tooling pin.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 181
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: b9e5d79fc57de2f2e60973019d56662b7398440b..7c7af71ba206dadd2ff7eda19b9a4c90c4349754
• Resolved refs: from=b9e5d79fc57de2f2e60973019d56662b7398440b to=7c7af71ba206dadd2ff7eda19b9a4c90c4349754
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 116

Top findings

• tests/utils/env/test_env.py:5 shell_process_spawn :: import subprocess
• tests/utils/env/test_env.py:146 shell_process_spawn :: mocker.patch("subprocess.check_output", side_effect=KeyboardInterrupt())
• tests/utils/env/test_env.py:149 shell_process_spawn :: subprocess.check_output.assert_called_once() # type: ignore[attr-defined]
• tests/utils/env/test_env.py:155 shell_process_spawn :: mocker.patch("subprocess.check_call", side_effect=KeyboardInterrupt())
• tests/utils/env/test_env.py:159 shell_process_spawn :: subprocess.check_call.assert_called_once() # type: ignore[attr-defined]
• tests/utils/env/test_env.py:166 shell_process_spawn :: "subprocess.check_output",
• tests/utils/env/test_env.py:167 shell_process_spawn :: side_effect=subprocess.CalledProcessError(
• tests/utils/env/test_env.py:173 shell_process_spawn :: subprocess.check_output.assert_called_once() # type: ignore[attr-defined]
• tests/utils/env/test_env.py:182 shell_process_spawn :: "subprocess.check_call",
• tests/utils/env/test_env.py:183 shell_process_spawn :: side_effect=subprocess.CalledProcessError(
• tests/utils/env/test_env.py:190 shell_process_spawn :: subprocess.check_call.assert_called_once() # type: ignore[attr-defined]
• tests/utils/env/test_env.py:199 shell_process_spawn :: "subprocess.check_output",
• tests/utils/env/test_env.py:200 shell_process_spawn :: side_effect=subprocess.CalledProcessError(
• tests/utils/env/test_env.py:206 shell_process_spawn :: subprocess.check_output.assert_called_once() # type: ignore[attr-defined]
• tests/utils/env/test_env.py:242 shell_process_spawn :: "subprocess.run",
• tests/utils/env/test_env.py:243 shell_process_spawn :: side_effect=subprocess.CalledProcessError(
• tests/utils/env/python/test_python_installer.py:3 shell_process_spawn :: from subprocess import CalledProcessError
• tests/utils/env/test_env_manager.py:574 shell_process_spawn :: "subprocess.check_output",
• tests/utils/env/test_env_manager.py:621 shell_process_spawn :: "subprocess.check_output",
• tests/utils/env/test_env_manager.py:691 shell_process_spawn :: "subprocess.check_output",

[coveralls-official]

Coverage Report for CI Build 24744741326

Coverage decreased (-0.02%) to 91.16%

Details

• Coverage decreased (-0.02%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 28 coverage regressions across 7 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

28 previously-covered lines in 7 files lost coverage.

File	Lines Losing Coverage	Coverage
chia/server/address_manager.py	7	92.83%
chia/server/server.py	7	85.56%
chia/server/node_discovery.py	6	80.21%
chia/full_node/full_node_api.py	3	86.41%
chia/full_node/full_node.py	2	87.5%
chia/_tests/core/test_farmer_harvester_rpc.py	2	98.06%
chia/_tests/simulation/test_simulation.py	1	96.49%

---

Coverage Stats

Relevant Lines:	117497
Covered Lines:	107276
Line Coverage:	91.3%
Relevant Branches:	11720
Covered Branches:	10518
Branch Coverage:	89.74%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls