Review Dependabot security alerts

[inglesp]

No description provided.

[inglesp]

See here: https://github.com/opensafely-core/databuilder/security/dependabot

[evansd]

This is confusing me because I would have expected all dependencies to be kept up to date by dependabot. It's certainly updating some things but clearly not everything.

Is it something to do with this?
https://github.com/opensafely-core/databuilder/blob/08b3895f79d155075d2c295f5d64619da14003ad/requirements.prod.in#L1

More research is needed ...

[rebkwok]

It looks like github is picking up the security updates from requirements.dev.txt and requirements.prod.txt, but dependabot uses pyproject.toml to look for version updates
https://github.com/opensafely-core/databuilder/network/dependencies

According to this page the default is to check explicitly defined dependencies for updates; possibly if we included

    allow:
      # Allow both direct and indirect updates for all packages
      - dependency-type: "all"

in the dependabot.yml, it would pick up indirect dependencies (e.g. the numpy is a dependency of pandas, not explicilty stated in the pyproject.toml).

[rebkwok]

Although, looking at the list of PRs that dependabot has created, I think it may in fact only be looking at the dev ones. Pandas was at v1.3.4 and the latest is 1.4.3 (which also pulls in the numpy version that the security update wants)

I thought I found issues that implied that dependabot did deal with pyproject.toml now, but maybe it only supports poetry dependencies?
This issue is still open and has references to updating the pyproject.toml parsing.
dependabot/dependabot-core#3290 (comment)