Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support PDM: https://github.com/frostming/pdm #3190

Open
pawamoy opened this issue Feb 24, 2021 · 11 comments
Open

Support PDM: https://github.com/frostming/pdm #3190

pawamoy opened this issue Feb 24, 2021 · 11 comments
Labels
Keep Exempt this from being marked by stalebot L: python:poetry Python packages via poetry python Dependabot pull requests that update Python code T: feature-request Requests for new features T: new-ecosystem Requests for new ecosystems/languages

Comments

@pawamoy
Copy link

pawamoy commented Feb 24, 2021

I'd like to get Dependabot support for Python projects managed by PDM.

PDM is very similar in usage to Poetry, and also uses pyproject.toml, so it could be in conflict with the Poetry file updater 😕
It also has its own pdm.lock file.

Just opening for visibility, to see if others are interested 🙂
@pawamoy pawamoy added the T: feature-request Requests for new features label Feb 24, 2021
@asciimike asciimike added L: python:poetry Python packages via poetry python Dependabot pull requests that update Python code T: new-ecosystem Requests for new ecosystems/languages labels Mar 2, 2021
@pawamoy
Copy link
Author

pawamoy commented May 13, 2021

Coming back to this: PDM now supports PEP621+PEP631, which describe the standard way of declaring project metadata including dependencies and optional dependencies in pyproject.toml. More tools will follow (Flit just published experimental support), so it might be even more relevant to support PDM/PEP621 in dependabot 🙂

Note however that PDM extends PEP621 with a [tool.pdm.dev-dependencies] section.

@pawamoy
Copy link
Author

pawamoy commented Dec 31, 2021
edited
Loading

Has any dependabot maintainer had the chance to see this? The Python ecosystem is standardizing on PEP 621 (Storing project metadata in pyproject.toml), PEP 631 (Dependency specification in pyproject.toml based on PEP 508) and (hopefully soon) PEP 665 (A file format to list Python dependencies for reproducibility of an application).

Several projects would already benefit from dependabot support for at least PEP 631: flit, pdm, trampolim, etc.

@pawamoy
Copy link
Author

pawamoy commented Dec 31, 2021

Just saw #3290. This issue could be closed in its favor. Please upvote #3290 🙂

@pawamoy pawamoy mentioned this issue Dec 31, 2021
Closed
4 tasks
@jeffwidman
Copy link
Member

Closing in favor of #3290 per the request ☝️ . It just so happens that #3290 has been fixed already, so this issue I assume has also been fixed 🎉

@deivid-rodriguez
Copy link
Contributor

Actually, even if PDM does implement PEP621, it also has a lock file, so it introduced further complexities in that first version of PEP621 and we decided to exclude it explicitly. So let me reopen this since PDM is not yet fully supported unfortunately.

@baggiponte
Copy link

Hello, I was curious to know what kind of help you might need with this one. I never coded in Ruby, but I'd be glad to help. How did you manage to make it work for poetry? What are the missing pieces for pdm?

@abdulapopoola abdulapopoola moved this to Blocked in Dependabot Mar 31, 2023
@commonism
Copy link

pdm allows using

[tool.pdm.dev-dependencies]
tests = [
…
]

to specify dependencies which are required for development only - these dependencies are not listed as runtime dependencies.

The dependencies may introduce requirements on regular dependencies - restricting versions.
dependabot does not honor these version restrictions introduced by development dependencies

@cmarqu cmarqu mentioned this issue Nov 22, 2023
Closed
@Zalfsten Zalfsten mentioned this issue Jan 16, 2024
Open
@abdulapopoola abdulapopoola removed the status in Dependabot Mar 11, 2024
@hcoohb
Copy link

hcoohb commented Apr 25, 2024

dependabot seems to still be ignoring pdm manged projects for version control PR...
It does detect packages with vulnerabilities but fails to create a PR.

That would be amazing to have pdm fully supported. Is there any updates on the blockers?
Thanks

@jonjanego jonjanego added the Keep Exempt this from being marked by stalebot label May 2, 2024
@rooterkyberian
Copy link

Support of pdm.lock seems crucial to make Dependabot security scans & autoupdates viable for projects using pdm.lock, since even if pyproject.toml dependencies are understood, the version specifiers there are most often openended, so it thinks everything is up to date, while the "pdm.lock" contains some old versions and that is what is run in prod and needs to be watched.

A simple workaround to at least get proper alerts would be to export pdm.lock to locked-requirements.txt and scan that. Such process would can be error prone as it either requires manual action by dev every time pdm.lock is updated, or some GHA that commits into repo master on its own which is scary. It also would not and benefit of automatic Dependabot PRs.

@DavidArmendariz
Copy link

Any updates? PDM is important...

@HoangNguyen689
Copy link

Is there any update here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Keep Exempt this from being marked by stalebot L: python:poetry Python packages via poetry python Dependabot pull requests that update Python code T: feature-request Requests for new features T: new-ecosystem Requests for new ecosystems/languages
Projects
Dependabot
Status: No status
Milestone
No milestone
Development

No branches or pull requests