-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong line updated when package listed twice in python manifest with environment / version markers #3343
Comments
@xlgmokha and I researched this yesterday, and captured a few early observations: What if the versions are specified in the manifest in a different order?In the bug report above, the manifest lists the dependencies like so:
With that ordering, Dependabot chose the first django entry in the list and looked for an newer version (hence the PR title, "Bump django from 1.11 to 1.11.29"). But when Dependabot created the diff, it updated the last django entry in the list. We wondered how it would behave if the manifest had listed the dependencies in a different order. So, we created a repository with a manifest like so:
In this situation, Dependabot once again chose the first django entry in the list and looked for an newer version: It created a PR titled "Bump django from 2.2.13 to 3.1.7"). And once again, when Dependabot created the diff, it updated the last entry in the list like so: django==2.2.13; python_version >= '3.5'
- django==1.11; python_version == '2.7'
+ django==3.1.7; python_version == '2.7' What are our options?I think we can agree that the current behavior is wrong, but we suspect that there are various potential improvements that require significantly different amounts of effort:
We're not starting on any of these right away, but we wanted to capture this here to help kick-start this work when we're ready to pick it up. |
Another open source repo demonstrating this was reported by @adamjstewart in: |
Some python packages have manifests (
requirments.txt
,requirement.in
etc) that specify different versions of a single dependency based on the version of Python being used. For example, we can see this in the manifest for SAP/cf-python-logging-support:When Dependabot encounters such a manifest, it currently creates a pull request that changes the wrong line in the manifest. In the SAP/cf-python-logging-support#51 shown below, we see that the title claims to be upgrading django 1.11 to 1.11.29, but the diff shows that it's actually downgrading django from 2.2.13 to 1.11.29:
Package manager/ecosystem: pip
What you expected to see, versus what you actually saw:
I expect the diff to be this:
But it was actually this:
For a minimal repository that reproduces this issue, please see https://github.com/jasonrudolph/dependabot-vs-repeated-python-deps.
The text was updated successfully, but these errors were encountered: