-
Notifications
You must be signed in to change notification settings - Fork 954
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unnecessary merge conflicts because pyproject.toml is modified #4435
Comments
Linking @sobolevn's comment about this problem on another Poetry-related issue: #1556 (comment)
While I agree that Poetry could be better at avoiding merge conflicts, the issue here is that Dependabot triggers the conflicts even when there is no need for it, because the version constraints don't need to be changed. |
It should be noted that the examples in the issue description (cookiecutter, reorder-python-imports) are development dependencies. The case is different for core dependencies. AFAIU Dependabot attempts to preserve constraints for core dependencies, so merge conflicts would only happen with those on major version bumps, when the constraint is widened. Also worth noting that the problem does not exist with indirect dependencies, because by definition those have no version constraints in pyproject.toml. |
@cjolowicz not sure if I understand entirely, but it seems like you might want to configure dependabot to only update the lockfile, or use the |
Hi @jurre,
The drawback of The |
Yeah, that's fair.
Ah apologies, you're right. I think for Poetry it could be supported but we'll need to make some changes to dependabot-core for it to work. I think Dependabot is behaving as expected here, but we should add support for |
Totally understand, and appreciate the quick response. 👍 FWIW this feature should translate into a considerable cut in GA's electricity bill. Maybe that helps with getting this scheduled 😉 To reiterate: The default settings for Poetry projects result in cascading rebases of Dependabot PRs, triggering 1+2+...+n CI runs for N dependency updates. |
Support for Thanks for your patience! |
Dependabot updates version constraints in Poetry projects even when they already cover the new version (see example below).
This behavior causes merge conflicts with every other Dependabot PR updating the
pyproject.toml
file. The merge conflicts happen because Poetry computes a hash over the version constraints in pyproject.toml (and some other things), and embeds the resulting hash in its lockfile (metadata.content-hash
in thepoetry.lock
file). This means that changes to version constraints always conflict with each other.This update strategy results in considerable developer churn and energy consumption, as Dependabot PRs are rebased many times before merging, triggering CI runs. For example, given a batch of 5 Dependabot PRs, CI will be triggered up to 15 times (1+2+3+4+5).
Package ecosystem
Package manager version
Language version
Manifest location and content prior to update
dependabot.yml content
Updated dependency
What you expected to see, versus what you actually saw
^1.7.2
to^1.7.3
Native package manager behavior
Diff after running `poetry update cookiecutter` on the base revision:
Images of the diff or a link to the PR, issue or logs
Log for updating cookiecutter: not available
Log for reorder-python-imports (excerpt):
Full log for Dependabot update
🕹 Bonus points: Smallest manifest that reproduces the issue
The text was updated successfully, but these errors were encountered: