Dependency issue with glean-parser 📦

[hackebrot]

The Docker build step on CircleCI fails after upgrading glean-parser in #84

RUN python -m pip install --no-index --find-links=/tmp/wheels/ burnham

ERROR: Could not find a version that satisfies the requirement glean-parser==1.28.6 (from glean-sdk>=32.3.1->burnham) (from versions: 1.29.0)
ERROR: No matching distribution found for glean-parser==1.28.6 (from glean-sdk>=32.3.1->burnham)

[hackebrot]

Dependabot upgraded glean-parser to 1.29.0, but glean-sdk 33.0.4 pins to glean-parser 1.28.6:
https://github.com/mozilla/glean/blob/v33.0.4/glean-core/python/setup.py#L56

When I add pip-compile --allow-unsafe --generate-hashes to the burnham Dockerfile to see what glean-parser it resolves to, I get the correct version.

glean-parser==1.28.6 \
    --hash=sha256:3104ec655ada3a55b6356124cb9fa2bb29829b6f392f61ab17f1dd333905d19e \
    --hash=sha256:af5ccfabd517d742f3f83e99ff41f30dda74d92e49539884464e9e0650d6e94d \
    # via glean-sdk

Does that mean that Dependabot is not checking for compatibility between dependencies? Did we miss a configuration option?

[jklukas]

I think Dependabot PRs are always for a single dependency, so there are indeed cases where two deps need to be bumped together and you need to manually intervene. We should have CI tests here that exercise the build such that we'd at least know that a Dependabot PR is broken.

[hackebrot]

This blog post states that Dependabot checks for compatibility when using pip-tools.
https://dependabot.com/blog/dependabot-now-supports-pip-compile/

We may be missing something in our config? Could it be that we don't have a requirements.in file and set Dependabot to use the pip workflow is doesn't check for compatibility?

[hackebrot]

Closing this issue since we now fail the status checks if Dependabot suggests incompatible dependencies (see #106).