Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove safety/pyup #415

Open
zStupan opened this issue Nov 1, 2023 · 4 comments
Open

Remove safety/pyup #415

zStupan opened this issue Nov 1, 2023 · 4 comments

Comments

@zStupan
Copy link
Contributor

zStupan commented Nov 1, 2023

There are currently 2 bots for updating dependencies set up for this repository: safety (pyup) and dependabot. Can someone please remove pyup?

Also I'm not sure the requirements.txt in the docs should be updated, at least not automatically, because those dependencies were pinned for a reason i. e. to ensure the docs build for readthedocs doesn't break.
@GregaVrbancic
Copy link
Contributor

Hi, pyup webhook was deleted therefore it should no longer work.

Also I'm not sure the requirements.txt in the docs should be updated, at least not automatically, because those dependencies were pinned for a reason i. e. to ensure the docs build for readthedocs doesn't break.

Probably it is best to not automatically update the docs dependecies. Regarding the dependabot this was already done here or am I wrong?

I have also observed that some docs dependencies are also present in the pyproject.toml. Do we need them?

@GregaVrbancic
Copy link
Contributor

Also, does anyone know why the dependabot updates only poetry.lock files like in PR #431 and #433? It should update pyproject.toml or am I wrong?

@zStupan
Copy link
Contributor Author

zStupan commented Dec 19, 2023

I have also observed that some docs dependencies are also present in the pyproject.toml. Do we need them?

Yes, the requirements file in docs/ is used only when deploying to readthedocs. The docs dependencies in pyproject.toml are optional and are not installed by default, but can be installed for building the docs locally if need be.

Also, does anyone know why the dependabot updates only poetry.lock files like in PR #431 and #433? It should update pyproject.toml or am I wrong?

It's the default setting for libraries. Because when installing the library pip installs the latest compatible dependencies anyway, I think. This can be changed in the config file by setting versioning-strategy to "increase".

@GregaVrbancic
Copy link
Contributor

Yes, the requirements file in docs/ is used only when deploying to readthedocs. The docs dependencies in pyproject.toml are optional and are not installed by default, but can be installed for building the docs locally if need be.

Great, this seems reasonable.

It's the default setting for libraries. Because when installing the library pip installs the latest compatible dependencies anyway, I think. This can be changed in the config file by setting versioning-strategy to "increase".

Oh, I see. However, lock file can cause quite some problems using different OS as well as with those optional dependencies. We should think through what is the most suitable strategy to use for dependabot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GregaVrbancic @zStupan