-
Notifications
You must be signed in to change notification settings - Fork 918
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot making Incompatible Dependency upgrades #3041
Comments
Hello, I encountered a similar issue in a private repository. I observed that this problem happens when the requirements are specified in a package's setup.cfg and then compiled into requirements.txt. I have been able to isolate the issue in this repository: https://github.com/titouanc/demo-incompatible-dependabot-upgrades |
Thanks for putting that together! I'll put this on our backlog to investigate, but that should help a tonne 🙇 |
I too am experiencing this issue with a Python repo that uses a I've also had the issue in a repo that uses NPM. The repo depends on @ngrx/effects, @ngrx/entity, @ngrx/router-store, and @ngrx/store. The first three packages all depend on @ngrx/store and their versions must be the same. Dependabot opened a separate PR to update each of the first three packages individually. A corresponding update to @ngrx/store was not included in any of those PRs nor did Dependatbot open a separate PR to update @ngrx/store. |
👋 Sorry for the slow reply.
For top-level dependencies, Dependabot currently only bumps one dependency at a time in most cases. I say most because there's a handful of exceptions in the However, it should not be opening a PR to bump a dependency that results in a conflict... Internally Dependabot is calling the native python package manager, in your case @titouanc thanks for the fantastic repro example--I broke it out as a new issue in #6593 so that we don't lose track of it, as I'm not convinced it's related to the first report in this issue. @alancleary I'd recommend you also file a new bug, as tagging onto this as a catch-all when it's really a fairly specific bug report doesn't really make it possible to triage/deal with. |
@amogkam it's been two years since your original bug report, and we've shipped a bunch of updates internally, as well as newer versions of Is this still reproducible or should this issue be closed? |
I'm going to close as it's too easy for us to lose track of old stale issues otherwise. But if you're still able to reproduce this, please comment and we can re-open. Again, I broke out one of the reported issues in this thread as a new separate issue since I am not convinced it's related to the original issue: |
We've recently added Dependabot to our repository (https://github.com/ray-project/ray) and it works great for the most part. We are using pip-tools/pip-compile and have both our manifest and lock file checked in.
However, a problem we've been seeing is that Dependabot is making PRs for upgrades that are incompatible with other dependencies.
For example ray-project/ray#13645, which leads to this error in our CI
I would expect Dependabot to automatically resolve these and upgrade other dependencies all in the same PR to maintain compatibility. Calling pip-compile should automatically do this I believe- does Dependabot call this internally?
I'd like to avoid having to manually fix these dependency conflict issues. Thanks!
Package manager/ecosystem
Manifest contents prior to update
Updated dependency
What you expected to see, versus what you actually saw
Images of the diff or a link to the PR, issue or logs
The text was updated successfully, but these errors were encountered: