Is there an existing issue for this?
Package ecosystem
Poetry
Package manager version
Poetry < 2.2.1
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
If pyproject.toml specifies an exact Poetry version to use with requires-poetry and this is not the version Dependabot uses, there's is an error.
For example, using the MWE below for CVE-2026-4539, I get:
Note that the error message is misleading:
- the exact version specified in my
pyproject.toml is 2.1.1
- I think the Dependabot version is
2.2.1
I would expect Dependabot to install the relevant Poetry version as specified in the pyproject.toml file, otherwise Dependabot PRs will not be raised, and the failure is not raised to users (especially for new vulnerabilities).
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Truncated logs:
Dependabot encountered '1' error(s) during execution, please check the logs for more details.
+----------------------------------------------------------------+
| Errors |
+----------------------------+-----------------------------------+
| Type | Details |
+----------------------------+-----------------------------------+
| tool_version_not_supported | { |
| | "tool-name": "poetry", |
| | "detected-version": "2.2.1", |
| | "supported-versions": "= 2.1.1" |
| | } |
+----------------------------+-----------------------------------+
Possibly relevant PR: #14684
Smallest manifest that reproduces the issue
[project]
name = "dependabot-poetry-test"
version = "0.1.0"
description = "An example with a low severity vulnerability: CVE-2026-4539"
authors = [
{name = "octocat",email = "octocat@users.noreply.github.com"}
]
license = {text = "MIT"}
readme = "README.md"
requires-python = ">=3.14"
dependencies = [
"pygments (<2.20.0)"
]
[tool.poetry]
requires-poetry = "==2.1.1"
[build-system]
requires = ["poetry-core>=2.0.0,<3.0.0"]
build-backend = "poetry.core.masonry.api"
Is there an existing issue for this?
Package ecosystem
Poetry
Package manager version
Poetry < 2.2.1
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
If
pyproject.tomlspecifies an exact Poetry version to use withrequires-poetryand this is not the version Dependabot uses, there's is an error.For example, using the MWE below for CVE-2026-4539, I get:
Note that the error message is misleading:
pyproject.tomlis2.1.12.2.1I would expect Dependabot to install the relevant Poetry version as specified in the
pyproject.tomlfile, otherwise Dependabot PRs will not be raised, and the failure is not raised to users (especially for new vulnerabilities).Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Truncated logs:
Possibly relevant PR: #14684
Smallest manifest that reproduces the issue