Using poetry from master/develop branches or any recent alpha/beta release,
you can't add the requests package with the security extra.
The requests package requires the idna twice
(as a main dependency and as an optional one) and this case wasn't handled
properly in Locker._dump_package function.
These changes make the _dump_package ensures that
all elements of the constraints list have the same type
in order to make them renderable as TOML.