Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(manager/pip-compile): Allow security updates for indirect dependencies #26871

Closed
wants to merge 46 commits into from
Closed

feat(manager/pip-compile): Allow security updates for indirect dependencies #26871

wants to merge 46 commits into from

Conversation

not7cd
Copy link
Contributor

@not7cd not7cd commented Jan 26, 2024
edited
Loading

This PR depends on #26858, meanwhile review these commits https://github.com/renovatebot/renovate/pull/26871/files/1ecf6654ac63cb5fdafd54a90e3f3f7c38cd1b57..HEAD

Changes

Every extracted dependency gets assigned lockedVersion from lock file. Warning is raised if there is no lock.
If locked dependency is not present it is added to PackageFileContent as indirect depType.

WIP, pass indirect deps to updateLockedDependency

Context

#24725 (comment)

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

@not7cd
Change fileMatch behaviour to target pip-compile output files
3362e51 
Now package files are infered from command embeded in output file header. This should enable support for additional package managers that use files like setup.py, setup.cfg and those conforming to PEP 621.

Command extraction from header has been moved to common module, as it will be reused in lockedDependencyUpdate and other functions.
@not7cd
Comment
831a7fd
@not7cd
Fix command parsing
26f9873
@not7cd
updateArtifacts now refers to matched lockFiles
b90a58c
@not7cd
Add strict arg to constructPipCompileCmd
a9ed099
@not7cd
Refactor matchManager
3c46844
@not7cd
Refactor extractAllPackageFiles to use extractPackageFile
79d1722
@not7cd
Merge remote-tracking branch 'upstream/main' into not7cd/pip-compile-…
44fbf50 
…fileMatch
@not7cd
fix updateArtifacts, loop over lockFiles
81a8a70
@not7cd
Throw errors in constructPipCompileCmd
51d44b7
@not7cd
Restrict supported command arguments
3e592e9
@not7cd
Refactor extractHeaderCommand
3e2fb11
@not7cd
Refactor option check
c036103
@not7cd
Warn for failed command parsing in extract
8ed2da3
@not7cd
Minor refactor
ee1bb3b
@not7cd
Refactor extractHeaderCommand
9ed1bf6
@not7cd
Dont allow for relative outputfile
59f52db
@not7cd
Dont return default command
0ef5c2e
@not7cd
Update tests with lockFiles in config
b49257b
@not7cd not7cd force-pushed the not7cd/pip-compile-updateIndirect branch from 8fb8706 to 4d48432 Compare January 28, 2024 16:24
@not7cd not7cd force-pushed the not7cd/pip-compile-updateIndirect branch from e8f4b8a to 7588b6e Compare February 1, 2024 15:19
sigma67
sigma67 reviewed Feb 5, 2024
View reviewed changes
lib/modules/manager/pip-compile/readme.md
```json
{
"pip_requirements": {
"enabled": false
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if a repository uses both requirements.in for its main dependencies, and requirements.txt for say, docs/requirements.txt? This needs a better suggestion that allows using both at the same time. Does renovate support filepath exclusion for a manager?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And massive thanks for your efforts to improve the pip-compile manager 🙌

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I plan to create support to support relative paths and other cases. Please see #26858, as this is the main PR, and this is a draft concerned with indirect deps.

@not7cd not7cd closed this Feb 26, 2024
@not7cd not7cd mentioned this pull request Feb 26, 2024
Merged
6 tasks
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sigma67 sigma67 sigma67 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@not7cd @sigma67 @rarkins