setup.cfg + pip-compile > requirements.txt = Dependabot buggy PRs

[jeffwidman]

I encountered an issue in a private repository. I observed that this problem happens when the requirements are specified in a package's setup.cfg and then compiled into requirements.txt.

I have been able to isolate the issue in this repository: https://github.com/titouanc/demo-incompatible-dependabot-upgrades

Originally posted by @titouanc in #3041 (comment)

[deivid-rodriguez]

@titouanc Thanks for the nice report!

One question, do you still use this setup? I tried to reproduce what's being done locally in this toy repo and I got

build.BuildException: Source /path/to/titouanc/demo-incompatible-dependabot-upgrades does not appear to be a Python project: no pyproject.toml or setup.py

Maybe something changed in pip to start rejecting this kind of setup?

[titouanc]

Hello @deivid-rodriguez

I encountered the same error as you. I think more recent Python/pip enforce that there is a setup.py file; so I added one here titouanc/demo-incompatible-dependabot-upgrades@931daa5

Could you please try again ?

[deivid-rodriguez]

Thanks!

Now I'm getting

ERROR: Could not find a version that satisfies the requirement tensorflow==2.6.0 (from demo-incompatible-dependabot-upgrades (setup.cfg)) (from versions: none)

which suggests that the starting point is not resolvable in the first place?

Regardless of that, I'm able to repro the issue. It's like Dependabot is not considering the setup.cfg file at all, right?

[deivid-rodriguez]

Oh, I think I know the problem. I think we only use "pip-compile" update logic if there's a .in files between the updated manifests. We should also autodetect that we need to use pip-compile logic too by looking at the header inside the requirements.txt file.