-
Notifications
You must be signed in to change notification settings - Fork 28
Ignore updating certain dependency entries, line-based #658
Comments
Thanks for creating this. I've pushed a fix here.
We've avoided implementing this in Dependabot because it doesn't feel right to have comments to Dependabot in your manifest file. If we have to resort to it we will, but for now I think ignoring |
@greysteil thanks for this!
What I like about pyup is that it'd update the pin based on the comment if there was a patch version update still fulfilling the restriction. This way, pins are still set precisely while with Actually, secure pins is its own issue. It's recommended to use constraints files with hash pinning along with requirements. There's this tool called pip-tools which helps us generate traversed dependency pins. So we can have a list of direct deps in Example:
|
Dependabot shells out to |
Oh, I didn't know that. I think there are some concerns here: pypa/setuptools#1566 (comment). Also, what if I don't call that file |
It's not perfect but we have a bunch of logic to try and handle it. Mostly here. Picks up all |
Apparently the code vanished and I was not able to find any information regarding |
This change adds a new dependencies list location that is compatible with: * pip-tools * dependabot * pip itself It allows us to gradually introduce support for locked build envs with pinned versions and hashes following the best practices present in many major projects in Python ecosystem (like PyPI) while keeping the DX with our main (tox-oriented) dev setup seamless. Refs: * https://hynek.me/articles/python-app-deps-2018/#pip-tools--everything-old-is-new-again * https://github.com/jazzband/pip-tools#output-file * https://github.com/pypa/warehouse/tree/master/requirements * https://dependabot.com/blog/dependabot-now-supports-pip-compile/ * dependabot/feedback#658 (comment) * https://github.com/dependabot/dependabot-core/blob/20557d2/python/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb#L23
This change adds a new dependencies list location that is compatible with: * pip-tools * dependabot * pip itself It allows us to gradually introduce support for locked build envs with pinned versions and hashes following the best practices present in many major projects in Python ecosystem (like PyPI) while keeping the DX with our main (tox-oriented) dev setup seamless. Refs: * https://hynek.me/articles/python-app-deps-2018/#pip-tools--everything-old-is-new-again * https://github.com/jazzband/pip-tools#output-file * https://github.com/pypa/warehouse/tree/master/requirements * https://dependabot.com/blog/dependabot-now-supports-pip-compile/ * dependabot/feedback#658 (comment) * https://github.com/dependabot/dependabot-core/blob/20557d2/python/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb#L23
In Python, we often have env dependencies for multiple envs listed in requirements files. It often affects test envs and/or building artifacts for different platforms.
Pip supports including dependencies based on certain conditions via env markers. Example:
This allows us to specify a custom version limit for env which newer dependency versions don't support (Cryptography dropped support for i686 arch in v2.7 but we still want to update version pins for x86_64).
So it'd be nice to have a way of instructing dependabot to not touch certain lines.
Prior art
In pyup, it's possible to use comments for this purpose and for setting the pin limits. Example:
or
The text was updated successfully, but these errors were encountered: