[Tech Debt] Managing dev dependencies and dependabot
across adapter repos
#188
Labels
type:task
Eng-driven work
dependabot
across adapter repos
#188
Housekeeping
dbt-adapters
Short description
Design and build a process for managing development dependencies that minimizes effort on support.
Context
We get a lot of
dependabot
PRs for development requirements, both for being out of date, or for security vulnerabilities. The latter are generally false positives as the development dependencies should not be shipped. Since mostdependabot
PRs are for development requirements, they tend to get overlooked as unnecessary and become stale.We want to be able to move pins on development dependencies over time, but not run into issues on older branches due to the lack of a pin. Leaving all development dependencies pinned violates one of these, and leaving them all unpinned violates the other scenario.
We run into issues (e.g. on
dbt-redshift
) where there are version conflicts between build dependencies and development dependencies that causes development and CI to either take a long time, or fail for reasons other than true test failures. Ideally our virtual environment looks as close as possible to the production build. Adding more dependencies, especially pinned, may inadvertently pin a requirement in development but leave it open in production.We have scenarios where tools are listed twice with different dependencies because they exist in both
.pre-commit-config.yml
anddev-requirements.txt
.Since this represents a change in operating model, the right time to do this is along with the move to
pyproject.toml
andhatch
. Otherwise we'll shift folks twice in close succession.Acceptance criteria
.pre-commit-config.yml
as possible, specifically including linters and typecheckersdev-requirements.txt
to remaining dev dependencies, test dependencies, and build tool dependencies.pre-commit-config.yml
, tests the update, merges the update if successful, and creates a PR if notPRs
pre-commit
only dbt-snowflake#996pre-commit
only dbt-spark#1026pre-commit
only dbt-redshift#777pre-commit
only (#777) dbt-redshift#797pre-commit
only (#777) dbt-redshift#798Testing
Security
We're effectively replacing
dependabot
with our own version. However, we're only doing so for dev dependencies like linters and testers. It might be worth checking in with security to make sure this doesn't violate some company policy that enforces use ofdependabot
in all scenarios.Docs
The ADR and contributor guide updates should suffice.
Consequences
Pro's:
dependabot
PRsdependabot
PRs gain more attention since they are likely production dependencies nowmain
hatch
's environments approach (separate environments for separate tasks)Con's:
black
is no longer directly runnable)The text was updated successfully, but these errors were encountered: