Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix/outdated deps #391

Closed
wants to merge 2 commits into from
Closed

fix/outdated deps #391

wants to merge 2 commits into from

Conversation

baywet
Copy link
Member

@baywet baywet commented Oct 16, 2024

  • fix: version requirement for httpx
  • fix: dependabot configuration for new project structure

@baywet baywet requested a review from a team as a code owner October 16, 2024 15:25
@baywet baywet self-assigned this Oct 16, 2024
@baywet baywet enabled auto-merge October 16, 2024 15:26
Copy link

@andrueastman
Copy link
Member

I believe there's a conflict with #387

Copy link
Contributor

This pull request has conflicting changes, the author must resolve the conflicts before this pull request can be merged.

auto-merge was automatically disabled October 16, 2024 15:33

Pull request was closed

@baywet
Copy link
Member Author

baywet commented Oct 16, 2024

@andrueastman yes, I believe we identified the problem at about the same time. We have a bunch of outdated dependencies in the toml files. (not sure whether it's a regression, old repos used the requirements file)

Also from looking at the dependabot documentation
And the toml specification it's possible our projects are behind (no project section, missing dependencies, using poetry dependencies, etc...) what do you think?

@baywet baywet deleted the fix/outdated-deps branch October 16, 2024 15:35
@andrueastman
Copy link
Member

Just checking in here. Any chance this is still an issue after the dependabot PRs?
#389

I believe dependabot should be able to handle the poetry deps. as it is listed in below.
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems

I believe the discrepancy was caused by incorectly pulling the version range modifiers from the original projects (using ^ vs >=) but dependabot seems to have fixed that now....

@baywet
Copy link
Member Author

baywet commented Oct 16, 2024

I wasn't sure why we were not getting any dependabot PRs on the toml. I thought it was because of the file "format" but now that we've received a PR I think here is what happened:

  1. pre grouping, since we had requirements files, dependabot was updating those and the toml fell behind.
  2. after grouping, the directories were wrong, and we removed the requirement files. So we weren't getting dependabot PRs, and the tomls were migrated with "behind dependencies" from their original repos
  3. now that the directories are fixes we're getting dependbot PRs.

If this is your understanding as well. I don't think we need to take further action at this point, At least not for the dependabot aspects. Maybe we'll want to mordernize our toml files for other reasons, but nothing pressing as far as I can tell.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

2 participants