constrain importlib-metadata versions in twine lockfile (#21894)

``` Lockfile diff: twine.lock [twine] == Upgraded dependencies == certifi 2024.8.30 --> 2025.1.31 charset-normalizer 3.3.2 --> 3.4.1 cryptography 43.0.1 --> 43.0.3 idna 3.8 --> 3.10 jaraco-functools 4.0.2 --> 4.1.0 keyring 25.3.0 --> 25.5.0 nh3 0.2.18 --> 0.2.20 pkginfo 1.11.1 --> 1.12.0 pygments 2.18.0 --> 2.19.1 rich 13.8.0 --> 13.9.4 urllib3 2.2.2 --> 2.2.3 zipp 3.20.1 --> 3.20.2 == !! Downgraded dependencies !! == importlib-metadata 8.4.0 --> 7.2.1 ``` fixes #21893 NOTE: We should probably move to twine >5.1, but this is intended to be the "smallest" possible fix for 2.24 backporting.
pantsbuild · Feb 3, 2025 · 844250b · 844250b
1 parent 7821be7
commit 844250b
Show file tree

Hide file tree

Showing 3 changed files with 331 additions and 278 deletions.
diff --git a/docs/notes/2.25.x.md b/docs/notes/2.25.x.md
@@ -87,6 +87,8 @@ Fixed an issue where `pants run ...` commands only worked if the `package.json`
 
 The AWS Lambda backend now provides built-in complete platforms for the Python 3.13 runtime.
 
+Constrained the transitive dependencies within the builtin lockfile for twine to work around a [bug](https://github.com/pantsbuild/pants/issues/21893).
+
 Several improvements to the Python Build Standalone backend (`pants.backend.python.providers.experimental.python_build_standalone`):
 
 - The backend now supports filtering PBS releases via their "release tag" via [the new `--python-build-standalone-release-constraints` option](https://www.pantsbuild.org/2.25/reference/subsystems/python-build-standalone-python-provider#release_constraints). THe PBS "known versions" database now contains metadata on all known PBS versions, and not just the latest PBS release tag per Python patchlevel.