python-poetry · radoering · Dec 31, 2025 · Dec 28, 2025
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ version = "2.2.1"
 description = "Python dependency management and packaging made easy."
 requires-python = ">=3.10,<4.0"
 dependencies = [
-    "poetry-core (==2.2.1)",
+    "poetry-core @ git+https://github.com/python-poetry/poetry-core.git",
     "build (>=1.2.1,<2.0.0)",
     "cachecontrol[filecache] (>=0.14.0,<0.15.0)",
     "cleo (>=2.1.0,<3.0.0)",

diff --git a/src/poetry/inspection/info.py b/src/poetry/inspection/info.py
@@ -29,11 +29,11 @@
 
 if TYPE_CHECKING:
     from collections.abc import Iterator
-    from collections.abc import Mapping
     from collections.abc import Sequence
 
     from packaging.metadata import RawMetadata
     from packaging.utils import NormalizedName
+    from poetry.core.packages.package import PackageFile
     from poetry.core.packages.project_package import ProjectPackage
 
 
@@ -57,7 +57,7 @@ def __init__(
         summary: str | None = None,
         requires_dist: list[str] | None = None,
         requires_python: str | None = None,
-        files: Sequence[Mapping[str, str]] | None = None,
+        files: Sequence[PackageFile] | None = None,
         yanked: str | bool = False,
         cache_version: str | None = None,
     ) -> None:

diff --git a/src/poetry/packages/locker.py b/src/poetry/packages/locker.py
@@ -420,7 +420,10 @@ def _get_locked_package(
             package.files = package_files
         elif "hashes" in metadata:
             hashes = cast("dict[str, Any]", metadata["hashes"])
-            package.files = [{"name": h, "hash": h} for h in hashes[name]]
+            # Strictly speaking, this is not correct,
+            # but we do not know the file names here,
+            # so we just set both file and hash.
+            package.files = [{"file": h, "hash": h} for h in hashes[name]]
         elif source_type in {"git", "directory", "url"}:
             package.files = []
         else:

diff --git a/src/poetry/repositories/http_repository.py b/src/poetry/repositories/http_repository.py
@@ -38,6 +38,7 @@
     from collections.abc import Iterator
 
     from packaging.utils import NormalizedName
+    from poetry.core.packages.package import PackageFile
     from poetry.core.packages.utils.link import Link
 
     from poetry.repositories.link_sources.base import LinkSource
@@ -340,7 +341,7 @@ def _links_to_data(self, links: list[Link], data: PackageInfo) -> dict[str, Any]
                 f' "{data.version}"'
             )
 
-        files: list[dict[str, Any]] = []
+        files: list[PackageFile] = []
         for link in links:
             if link.yanked and not data.yanked:
                 # drop yanked files unless the entire release is yanked
@@ -359,7 +360,23 @@ def _links_to_data(self, links: list[Link], data: PackageInfo) -> dict[str, Any]
             ):
                 file_hash = f"{hash_type}:{link.hashes[hash_type]}"
 
-            files.append({"file": link.filename, "hash": file_hash})
+            if file_hash is None:
+                # Is that even possible?
+                # Before introducing this warning and ignoring the file,
+                # null hashes would have been written to the lockfile,
+                # which should have been failed in the Chooser at latest.
+                self._log(
+                    f"Failed to determine hash of {link.url}. Skipping file.",
+                    level="warning",
+                )
+            else:
+                files.append({"file": link.filename, "hash": file_hash})
+
+        if not files:
+            raise PackageNotFoundError(
+                f'Could not determine a hash for any distribution link of package: "{data.name}" version:'
+                f' "{data.version}"'
+            )
 
         data.files = files
 

diff --git a/tests/installation/test_chooser.py b/tests/installation/test_chooser.py
@@ -15,6 +15,8 @@
 
 
 if TYPE_CHECKING:
+    from poetry.core.packages.package import PackageFile
+
     from poetry.repositories.repository_pool import RepositoryPool
     from tests.conftest import Config
     from tests.types import DistributionHashGetter
@@ -211,7 +213,7 @@ def test_chooser_chooses_distributions_that_match_the_package_hashes(
     chooser = Chooser(pool, env)
 
     package = Package("isort", "4.3.4")
-    files = [
+    files: list[PackageFile] = [
         {
             "file": filename,
             "hash": (f"sha256:{dist_hash_getter(filename).sha256}"),
@@ -246,9 +248,9 @@ def test_chooser_chooses_yanked_if_no_others(
     chooser = Chooser(pool, env)
 
     package = Package("black", "21.11b0")
-    files = [
+    files: list[PackageFile] = [
         {
-            "filename": filename,
+            "file": filename,
             "hash": (f"sha256:{dist_hash_getter(filename).sha256}"),
         }
         for filename in [f"{package.name}-{package.version}-py3-none-any.whl"]
@@ -286,9 +288,9 @@ def test_chooser_does_not_choose_yanked_if_others(
     )
 
     package = Package("futures", "3.2.0")
-    files = [
+    files: list[PackageFile] = [
         {
-            "filename": filename,
+            "file": filename,
             "hash": (f"sha256:{dist_hash_getter(filename).sha256}"),
         }
         for filename in [
@@ -330,12 +332,12 @@ def test_chooser_throws_an_error_if_package_hashes_do_not_match(
     chooser = Chooser(pool, env)
 
     package = Package("isort", "4.3.4")
-    files = [
+    files: list[PackageFile] = [
         {
             "hash": (
                 "sha256:0000000000000000000000000000000000000000000000000000000000000000"
             ),
-            "filename": "isort-4.3.4.tar.gz",
+            "file": "isort-4.3.4.tar.gz",
         }
     ]
     if source_type == "legacy":
@@ -373,7 +375,7 @@ def test_chooser_md5_remote_fallback_to_sha256_inline_calculation(
     )
     package.files = [
         {
-            "filename": filename,
+            "file": filename,
             "hash": (f"sha256:{dist_hash_getter(filename).sha256}"),
         }
         for filename in [f"{package.name}-{package.version}.tar.gz"]

diff --git a/tests/installation/test_executor.py b/tests/installation/test_executor.py
@@ -42,6 +42,7 @@
     from collections.abc import Mapping
     from collections.abc import Sequence
 
+    from poetry.core.packages.package import PackageFile
     from pytest_mock import MockerFixture
 
     from poetry.config.config import Config
@@ -1819,7 +1820,7 @@ def test_other_error(
     ],
 )
 def test_executor_known_hashes(
-    package_files: list[dict[str, str]],
+    package_files: list[PackageFile],
     expected_url_reference: dict[str, Any],
     tmp_venv: VirtualEnv,
     pool: RepositoryPool,