Unexpected dependabot updates with pip-compile #8381
Labels
Comments
|
I just saw the same issue happen with anyio in Azure-Samples/azure-search-openai-demo#1029 , and it keeps happening in fixedint. So I basically always have to manually run pip-compile myself. It seems like it's not running |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Package ecosystem
pip
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
/requirements-dev.txt
/app/backend/requirements.in(txt)
/scripts/requirements.in(txt)
dependabot.yml content
https://raw.githubusercontent.com/Azure-Samples/azure-search-openai-demo/main/.github/dependabot.yaml
Updated dependency
fixedint
What you expected to see, versus what you actually saw
Please see this dependabot PR:
Azure-Samples/azure-search-openai-demo#939
It attempts to update fixedint to 0.2.0, even though the parent package "azure-monitor-opentelemetry-exporter" specifically pins 0.1.6, as you can see here:
https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/monitor/azure-monitor-opentelemetry-exporter/setup.py
When I manually run pip-compile --upgrade locally, it does not attempt to make this change. This seems like a buggy behavior.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: