depedabot is not updating werkzeug #128

hairmare · 2022-02-08T19:35:48Z

There are the following entries in dependabot's logs

updater | INFO <job_277638052> Checking if werkzeug 2.0.1 needs updating
  proxy | 2022/02/08 19:18:42 [066] GET https://pypi.org:443/simple/werkzeug/
  proxy | 2022/02/08 19:18:42 [066] 200 https://pypi.org:443/simple/werkzeug/
updater | INFO <job_277638052> Latest version is 2.0.3
  proxy | 2022/02/08 19:18:42 [068] GET https://pypi.org:443/simple/werkzeug/
  proxy | 2022/02/08 19:18:42 [068] 200 https://pypi.org:443/simple/werkzeug/
updater | INFO <job_277638052> Requirements to unlock update_not_possible
updater | INFO <job_277638052> Requirements update strategy bump_versions
updater | INFO <job_277638052> No update possible for werkzeug 2.0.1

I'm failing to understand why it doesn feel like opening a pr for 2.03.

One possible reason could be the versioning-strategy in the config, since it was introduced in 0866776 dependabot didn't create a single PR.

klangbecken/.github/dependabot.yml

Lines 11 to 16 in 450356f

    
           # Maintain dependencies for pip 
        
           - package-ecosystem: "pip" 
        
             directory: "/" 
        
             schedule: 
        
               interval: "daily" 
        
             versioning-strategy: lockfile-only

cat-page seems to have picked up the werkzeug bump and it uses the default auto versioning-strategy via the following config:

  - package-ecosystem: pip
    directory: "/"
    schedule:
      interval: "daily"

The docs have this to say on the version strategy thing:

When Dependabot edits a manifest file to update a version, it uses the following overall strategies:

For apps, the version requirements are increased, for example: npm, pip and Composer.

For libraries, the range of versions is widened, for example: Bundler and Cargo.

Use the versioning-strategy option to change this behavior for supported package managers.

Option Supported by Action

lockfile-only bundler, cargo, composer, mix, npm, pip Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes.

auto bundler, cargo, composer, mix, npm, pip Follow the default strategy described above.

In a python setuptools context, i'm not sure what lockfile-only wants to achieve. With npm or composer there is clearly a *.lock file that lockfile-only can work on. I'm not sure what i'm missing but i don't think we have a lockfile.

I'm gonna read some more docs, but i guess my proposal would be to switch to auto so we get updates like the werkzeug one that made me ralise that dependabot isn't pulling it's weight

The text was updated successfully, but these errors were encountered:

hairmare · 2022-02-08T19:45:17Z

Could the lock docks be talking about this unfinished thing imo it's rather unclear and i will probably go yell at some 🐍 devs given the situation wrt files like requirements.txt , setup.py, setup.cfg, pyproject.toml is about as much fun as the well documented 2 to 3 migration.

smlz · 2022-02-24T17:28:52Z

I removed the versioning-strategy line for now. Let's see if anything changes.

smlz · 2022-02-24T18:27:22Z

Seems to work now. See #131.

smlz · 2022-02-24T18:27:38Z

Closing this for now

smlz closed this as completed Feb 24, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

depedabot is not updating werkzeug #128

depedabot is not updating werkzeug #128

hairmare commented Feb 8, 2022

hairmare commented Feb 8, 2022

smlz commented Feb 24, 2022

smlz commented Feb 24, 2022

smlz commented Feb 24, 2022

depedabot is not updating werkzeug #128

depedabot is not updating werkzeug #128

Comments

hairmare commented Feb 8, 2022

hairmare commented Feb 8, 2022

smlz commented Feb 24, 2022

smlz commented Feb 24, 2022

smlz commented Feb 24, 2022