Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Python] Dependabot changes ~=1.1.0 to >=1.1.0,<1.3.0 #1440

Closed
daviddavis opened this issue Oct 9, 2019 · 8 comments · Fixed by #5605
Closed

[Python] Dependabot changes ~=1.1.0 to >=1.1.0,<1.3.0 #1440

daviddavis opened this issue Oct 9, 2019 · 8 comments · Fixed by #5605
Labels
F: language-support Issues specific to a particular language or ecosystem; may be paired with an L: label. L: python:pip Python packages via pip T: feature-request Requests for new features

Comments

@daviddavis
Copy link

We have our requirements specified in Python using ~= and instead of just bumping the version, dependabot insists on changing the format using >=,<.
@rebelagentm
Copy link
Contributor

Hi! 👋 Thanks for reporting this. The team is pretty swamped at the moment scaling Dependabot for all of GitHub :octocat:, but we'll take a look at this as soon as we can.

@feelepxyz feelepxyz added the T: feature-request Requests for new features label Oct 23, 2019
@infin8x infin8x added F: language-support Issues specific to a particular language or ecosystem; may be paired with an L: label. L: python:pip Python packages via pip labels Jul 20, 2020
@jakecoffman jakecoffman mentioned this issue May 16, 2022
Closed
@PerchunPak
Copy link

Can't reproduce in last time (fire-square/fire-square-style#49, PerchunPak/pinger-bot#49, fire-square/fire-square-style#45).
Last PR with this problem was PerchunPak/mcph#43.

Is this was accidentally fixed?

@PerchunPak
Copy link

Reproduced this again in PerchunPak/mcph#47, maybe it's now happening when dependency's version bumps on 2 version in one time?

@oyvindkolbu oyvindkolbu mentioned this issue Sep 1, 2022
Merged
@deivid-rodriguez
Copy link
Contributor

Hello @PerchunPak! Sorry for not getting back earlier, too many things you know 😅.

I actually think this is intentional. Dependabot default for libraries (as opposed to applications, which would get the behavior you want by default) is to widen requirements instead of bumping them, see https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy.

You should get what you want by changing your configuration once we support the increase and increase-if-necessary strategies in Python. This is not yet supported, but will be very soon.

@PerchunPak
Copy link

Hello @PerchunPak! Sorry for not getting back earlier, too many things you know 😅.

I actually think this is intentional. Dependabot default for libraries (as opposed to applications, which would get the behavior you want by default) is to widen requirements instead of bumping them, see https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy.

You should get what you want by changing your configuration once we support the increase and increase-if-necessary strategies in Python. This is not yet supported, but will be very soon.

👍 Is there any PR/tracking issue for this feature?

@deivid-rodriguez
Copy link
Contributor

We added the required changes in this repo at #5605, but then I noticed that we still need some internal changes for this to work. I will update and close this issue once we roll those out.

@deivid-rodriguez
Copy link
Contributor

@PerchunPak This is now live, can you verify the increase-if-necessary strategy works for you?

@deivid-rodriguez
Copy link
Contributor

I'm going to close since I verified the new version strategy is properly picked up, but feel free to reopen if you are still having issues after changing the versioning strategy to increase-if-necessary, thanks!

@deivid-rodriguez deivid-rodriguez mentioned this issue Oct 11, 2022
Merged
PerchunPak added a commit to py-mine/mcstatus that referenced this issue Apr 21, 2023
@PerchunPak
Use increase-if-necessary strategy for dependabot
aa83741 
This will help to avoid such commits as 42d758a and PRs where
dependabot bumps version from `^1.2.3` to `>=1.2.3,<1.4`.

See dependabot/dependabot-core#1440.
@PerchunPak PerchunPak mentioned this issue Apr 21, 2023
Merged
PerchunPak added a commit to py-mine/mcstatus that referenced this issue May 29, 2023
@PerchunPak
Use increase-if-necessary strategy for dependabot
fb97bf8 
This will help to avoid such commits as 42d758a and PRs where
dependabot bumps version from `^1.2.3` to `>=1.2.3,<1.4`.

See dependabot/dependabot-core#1440.
@gadomski gadomski mentioned this issue May 7, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
F: language-support Issues specific to a particular language or ecosystem; may be paired with an L: label. L: python:pip Python packages via pip T: feature-request Requests for new features
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support bump_versions_if_necessary versioning strategy in python dependabot/dependabot-core
6 participants
@feelepxyz @daviddavis @infin8x @rebelagentm @deivid-rodriguez @PerchunPak