-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Taking the latest of all. #120
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## main #120 +/- ##
==========================================
- Coverage 88.37% 87.98% -0.39%
==========================================
Files 25 24 -1
Lines 1798 1773 -25
Branches 333 333
==========================================
- Hits 1589 1560 -29
- Misses 149 152 +3
- Partials 60 61 +1
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Thoughts on nuking the specific versions? We have a long list of auto-generated PR's, and this PR seems to bring us back up to snuff. I had to ignore a single vulnerability listed in Jinja2: https://data.safetycli.com/v/70612/97c/ It's a bit odd, as it's listed for every version of the package (
So I'm assuming it's just a bug with the bug database? If we don't want |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
Not even any discussion? ;) Feels like a pretty drastic move to just accept the latest version, but as long as we keep checking in, it should be alright. |
LGTM too. In the end, However, there might be issues with the software's behavior in the local development environment and the environments of GitHub Actions CI. It often happened to me in other projects that CI jobs broke in weird and subtle ways due to a recent release of a random (sub-)dependency in the dependency tree of the local dev env, which nevertheless was compatible with the version requirements in the On the upside, this incentivizes a more frequent refresh of the local dev environment in case of inconsistencies between local environments among developers/contributors and CI environments. Questions:
|
Both excellent questions/points! I've got a few min before my next meeting, so will take a crack. How would you advise I test the tox.ini changes locally? (don't think the CI/CD would run through it, but could be wrong...) |
The current GH workflow already runs the checks using Locally, you can run |
Chasing down issues with lazy fixtures...almost there... |
Sorry about that! I aimed to ease the process instead of blocking it since everything worked out. Here's my take on the topic: when working with With that in mind, I'd suggest simplifying package versioning using alternative dependency management systems or a simple |
Ok, mistune had a major revision change, and had to make modifications like this and this. Also, pytest-lazy-fixture went defunct, and was picked up by another initiative:
Can confirm that a fresh Update: Just read @francescofuggitti's response. A more unified might work, ya. For now, I'm ok with dependency hunting to keep us up-to-date with the testing side. The important part is deployment, and we're locked into only two dependencies there. If we ever want to scale back and lock in versions, we can just look to the Pipfile.lock for what's currently working :P |
Proposed changes
Testing out what would happen if we just take the latest of every package in the dev requirements.