Updated all dependencies to the newest version. #1796
Conversation
|
@rbren I suggest we stop doing upgrade manually and only let Dependabot do it: https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide |
@rbren Why? Does it conflict with other dependencies or something? Also, why tf is it stuck on a 0.1.0 release candidate anyway, when 0.2.2 is already out. Also, the PR says that you requested some changes, did you mean I need to revert the changes in pyproject.toml? Or another PR needs to be merged to introduce a fix for new browsergym versions? |
I also suggest we shouldn't do it manually. Introduce dependabot is necessary. |
|
@temotskipa it wouldn't be super hard for an attacker to inject a vulnerable dependency into the lockfile, since that's not really getting reviewed. Dependency updates are a little scary from a security perspective 😅 That said, I do think pinning the versions here is the right thing to do, and not something dbot will solve. If you rebase your PR to fix the conflicts, I'll verify that the lockfile is safe by generating locally, and we can get this merged. |
|
Please re-review and tell me clearly about any conflicts. Also would appreciate the max versions of any dependencies I can update the project to because of code-breaking changes, if any. Also looks like Dependabot is already set up, so this is probably my last PR on this topic. |
…lnurabilities as fast as possible
|
@rbren given that dbot is enabled, maybe this can be closed? |
|
I will be closing this since it died. I do however have another commit unrelated to this PR to pull request. I'll be opening that shortly. |
Please note that I changed some values in pyproject.toml to do this. Warning: do not merge if this borks OpenDevin. Run a basic test to ensure it works correctly with the new dependencies.