2.3.3

🐛 Bug Fixes

• Fixed a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory.
• Resolved an issue where `git` dependencies from annotated tags could not be updated.
• Fixed incorrect detection of an active virtualenv when `VIRTUAL_ENV` or `CONDA_PREFIX` environment variables were empty (e.g., after `conda deactivate`).
• Fixed an issue that printed an incomprehensible error message when `.venv` was a file instead of a directory.
• Fixed corruption of HTTP Basic Authentication credentials during request preparation, which caused authentication failures with long tokens.
• Resolved an issue where `poetry publish --no-interaction --build` incorrectly requested user interaction.
• Fixed an issue in `poetry-core` where `platform_release` could not be parsed on Debian Trixie.
• Fixed metadata corruption when using `project.readme.text` in `pyproject.toml`.
• Fixed dependency group equality checks in `poetry-core` when only resolved dependencies were equal but the groups themselves were not.
• Fixed an issue where removing a dependency from a group that included another group incorrectly added other dependencies to the included group.
• Fixed loss of PEP 735 `include-group` entries when `[tool.poetry.group]` also defined `include-groups` for the same group.
• Fixed incorrect satisfaction logic for the union of `<value> not in <marker>` constraints.
• Fixed an issue where a post release with a local version identifier was wrongly allowed by a `>` version constraint.
• Fixed an issue where a version with the local version identifier `0` was treated as equal to the corresponding public version.
• Fixed an issue where a `!= <version>` constraint wrongly disallowed pre releases and post releases of the specified version.
• Fixed an issue where `in` and `not in` constraints were wrongly disallowed by specific compound constraints.