Support for multiple package managers

[tomy0000000]

I have a repo which mainly describe dependencies using poetry.lock, but also maintain a requirements.txt to build production docker image. However, dependabot only bumps version in poetry.lock, not the requirements.txt.

I wonder if there's a config field to make it update both of them?

[jurre]

I don't think there's currently a way to do this if they're in the same folder.

I'm curious why you're not using the same package manager in this case?

[tomy0000000]

I'm using poetry for my daily development, keeping an additional requirements.txt in source control allows me to not installing poetry in both CI tasks and Dockerfile environment.

I'm curious how others handle this issue typically, as I can't figure out what's the benefit of installing poetry in those environment.

[jurre]

I'm not a Poetry expert, but I believe you can install/add dependencies with the --dev-dependency flag, and then run on CI / Docker with poetry install --no-dev. This seems to be the canonical way to handle this?

[tomy0000000]

Maybe I didn't state the problem clearly, but I'll try.

The issue of not keeping the requirements.txt is that, if I were to use pypyproject.toml and poetry.lockto store dependencies, pip can't read those file. Therefore, I have to somehow install poetry inside CI and docker environment.

Then I came across to this stackoverflow thread, which gave a complicated solution on maintaining such thing.

In the end, why wouldn't I just use requirements.txt with pip?

[jurre]

I don't have any opinions on which package manager to use, Dependabot currently just can't handle multiple ones for the same ecosystem as it's not a common approach.

[tomy0000000]

Sorry for pulling off the topic, but I do hope support for multiple package managers is a legit use case.
Though I'm not sure if it's possible, but an easy implementation would probably be having multiple dependabots running independently for each designated package manager?

[jurre]

The tricky part here is that we currently don't distinguish between poetry and pip at the config level, there's a hard assumption in Dependabot that if you use Python, it's one of those (per folder) and we use runtime detection to figure out which one.

Currently changing either of those assumptions would be a massive undertaking in Dependabot, and is not something we'll be able to prioritize anytime soon.

I can offer some workarounds, like having a separate folder for dev dependencies, building everything with pip (using a requirements.txt and a dev-requirements.txt is a pattern I've seen that should work with Dependabot), but I don't think that we can easily make Dependabot work for multiple Python package managers in the same folder.

[tomy0000000]

@jurre Thanks for the concrete feedback, will take into account.