#14020 Lockfile support generates an incorrect lockfile for any direct reference requirement. Issue created by jsirois Pants, via

pkg_resources.Requirement

, handles direct reference requirements as described here: https://www.python.org/dev/peps/pep-0440/#direct-references These requirements parse with no version as demonstrated here:

$ pex setuptools -- -c 'from pkg_resources import Requirement; req = Requirement.parse("darglint @ git+<https://github.com/thejcannon/darglint@XYZ%22|https://github.com/thejcannon/darglint@XYZ">); print(f"req: {req} spec: {req.specifier}")'
req: darglint@ git+<https://github.com/thejcannon/darglint@XYZ> spec:

This is problematic with our current lock file implementaion using Poetry since: pants/src/python/pants/backend/python/subsystems/poetry.py Line 97 in </pantsbuild/pants/commit/315dd5c37a3e3394dee363e232d3c516583d4ead|315dd5c> pants/src/python/pants/backend/python/subsystems/poetry.py Line 107 in </pantsbuild/pants/commit/315dd5c37a3e3394dee363e232d3c516583d4ead|315dd5c> pants/src/python/pants/backend/python/subsystems/poetry.py Lines 68 to 76 in </pantsbuild/pants/commit/315dd5c37a3e3394dee363e232d3c516583d4ead|315dd5c> That generates a

pyproject.toml

with an incorrect dependency entry for every direct reference requirement we are trying to lock using

poetry lock

on the

pyproject.toml

. Instead of getting a lock on the direct reference requirement you specify and instead of failing to indicate we can't generate a proper lock for these, we silently generate a lock against the latest publically available version of the project on PyPI (since we say

version = "*"

). pantsbuild/pants