The increase strategy should move ranges forward, not widen them

[deivid-rodriguez]

This was first noticed at #6625 (comment).

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

Python (but not sure if it's specific to it, could be the same in other ecosystems)

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

pyproject.toml

[build-system]
requires = ["setuptools"]
build-backend = "setuptools.build_meta"

[project]
name = "lorem"
version = "2.5.0"
requires-python = ">=3.9,<4.0"
description = "Generator for random text that looks like Latin."
dependencies = [
	"more-itertools>=8,<9",
]

requirements.txt

more-itertools==8.14.0

dependabot.yml content

version: 2
updates:
- package-ecosystem: pip
  directory: "/"
  schedule:
    interval: daily
  open-pull-requests-limit: 10
  allow:
    # Allow both direct and indirect updates for all packages
    - dependency-type: "all"
  versioning-strategy: increase

Updated dependency

more-itertools from 8.14.0 to 9.0.0

What you expected to see, versus what you actually saw

I saw

diff --git a/pyproject.toml b/pyproject.toml
index 788d44b..49a07c9 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -8,5 +8,5 @@ version = "2.5.0"
 requires-python = ">=3.9,<4.0"
 description = "Generator for random text that looks like Latin."
 dependencies = [
-	"more-itertools>=8,<9",
+	"more-itertools>=8,<10",
 ]

I would've expected

diff --git a/pyproject.toml b/pyproject.toml
index 788d44b..49a07c9 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -8,5 +8,5 @@ version = "2.5.0"
 requires-python = ">=3.9,<4.0"
 description = "Generator for random text that looks like Latin."
 dependencies = [
-	"more-itertools>=8,<9",
+	"more-itertools>=9,<10",
 ]

because the current behavior is widening, not increasing?

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

sanderr/inmanta-module-factory#7

Smallest manifest that reproduces the issue

No response

[sanderr]

Minor comment: in the manifest before the update I think you've got a typo / copy-paste error: <10 should be <9.

[deivid-rodriguez]

Thank you, fixed!

[sanderr]

I think it might actually be a duplicate of #6519

[sanderr]

I think it might actually be a duplicate of #6519

Actually, this one may be a bit broader than the other one. Same root cause but slightly different symptoms.

[deivid-rodriguez]

Yeah, agreed, I'm going to unify both!

[yanone]

@deivid-rodriguez @abdulapopoola Hi. Is anything planned for this issue? We're suffering from this bug and need to increase the lower bound (actually, just standalone) of a >= dependency notation in setup.py

[GarryHurleyJr]

This issue was related to issue 6630 and 6632. I will take a look at them and see what I can come up with.

[kbukum1]

The issue has been reproduced internally and are currently analyzing the cause between the package manager and Dependabot.

[kbukum1]

The issue regarding lower bound is fixed. As mentioned in the document . The minimum version is going to be increased to match the new version.

[sanderr]

Hi, thanks for looking into this. However, if I recall correctly this is a breaking change without an upgrade path for the old behavior. I believe #6630 should have been addressed first, and released before this one to not break users' flows.

My apologies to raise this issue so late. I'd mentioned it sometime before but I only now notice that it's not in this thread.

[kbukum1]

pologies to raise this issue so late.

Thank @sanderr . I am looking into the widening issue as well. I am planing to come up a sollution for widening and increase together.

@jeffwidman , @abdulapopoola

[sanderr]

@kbukum1 just to make sure I understood correctly, can you confirm that no changes to the default versioning strategy (e.g. #10060) will be released before the fix for #6630? How about the other way around to allow for an upgrade path?

[kbukum1]

@sanderr ,

Sorry for late reply. I found a issue that will effect other strategies. Going to create changes for that. Reopening the issue and going to apply the changes.

[kbukum1]

@deivid-rodriguez, @sanderr,

I have created a Draft PR to ensure the changes apply only to the increase strategy. I would appreciate it if you could review it: Draft PR #10154.

[sanderr]

I reviewed it to the best of my ability.

I have to confess I'm still unclear as to your plan with regards to #6630. The reason I ask is that we do some automated processing of dependabot pull requests. If a future release will change the default behavior from widen to increase, we will have to pause our automated processing before that release. And If I understand correctly (correct me if I'm wrong), your changes affect do exactly this: change the default behavior from widen to increase (by fixing increase, which is the default strategy).

So could you tell me what is the plan with regards to that? Will you release the change of default behavior like this (1), together with a fix for #6630 (2) or first release a fix for #6630 and then only release the changes to the default behavior in some future release (3)?

[abdulapopoola]

This is being closed as won't fix for now as we consider a deeper systemic fix.