Add support for Python dependencies in setup.cfg
#2133
Comments
|
Oh good point. We have a kind of partial support for them, where we can handle libraries that use them alongside a |
|
@althonos can you link to a repo that uses this setup? Would help a lot with adding support. |
|
@greysteil : sure ! althonos/InstaLooter has that kind of structure, with every dependency listed in |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions. |
|
@greysteil : bumping ? 😄 |
|
I'm not on team Dependabot anymore (I now work on security more broadly at GitHub). @hmarr, @feelepxyz and @jeffmcaffer are your go-tos now :-) |
|
@feelepxyz and @jeffmcaffer , could you please share an update on this issue. Thank you! |
|
@ivelin 👋 no progress on this yet. We're currently running a very small team maintaining dependabot alongside integrating it within GitHub so have made little progress on new features. We've got a few python improvements lined up once we get more people on the team. |
|
Thank you for the candid response, @feelepxyz . I understand and will keep an eye on the issue for updates. |
|
BTW, not sure if its an option, but if the Python setup parsing code in dependabot is open source, maybe you can provide a couple of hints and pointers. There may be contributors in the Python community with spare cycles to help out. |
|
@ivelin sorry for the slow update! Would love help adding support to dependabot-core. As a starting point, you probably want to hook in here and branch out to a new updater for You can use the requirements updater as a starting point: https://github.com/dependabot/dependabot-core/blob/master/python/lib/dependabot/python/file_updater/requirement_file_updater.rb |
|
Hi. Is there any update on plans for working on this? I see that the links that @ivelin posted as a starter for anyone willing to help are now broken. The new ones are:
I also add a couple of example projects that use setup.cfg for requirements which include both install_requires and extras_require.
I was considering helping out. But I don't know ruby so looking at the starting point it did not seem too easy for me to do. I also found https://github.com/datafolklabs/ruby-parseconfig which maybe is able to parse the setup.cfg files. |
|
This feature is also discussed here: PR #2281 modifies the distutils.core.run_setup(
<path to unmodified setup.py file>,
stop_after="init"
)and the results are collected using the custom It also catches all exceptions. In case of errors or no collected dependencies, it reverts to the old method running a patched I haven't yet added test cases for this. I'll need to install the Ruby environment and study how to run the test suite – pointers to documentation appreciated! |
|
it would be better to use pep517 https://www.python.org/dev/peps/pep-0517/#prepare-metadata-for-build-wheel |
|
here's a demo using the >>> import pep517.meta
>>> import pprint
>>> pprint.pprint(pep517.meta.load("path/to/twisted").requires)
['zope.interface (>=4.4.2)',
'constantly (>=15.1)',
'incremental (>=16.10.1)',
'Automat (>=0.8.0)',
'hyperlink (>=17.1.1)',
'attrs (>=19.2.0)',
'twisted-iocpsupport (~=1.0.0) ; platform_system == "Windows"',
... |
|
@graingert, have you taken a look at the other ideas thrown around in #2281? Could you add this one in that discussion? |
|
It would certainly be nice to have support for What would be the next steps to get this feature? There are different ideas suggested above, and I think #2281 is the furthest developed one? |
|
Trying this again in #3423 (wip). Not entirely sure the approach would work. |
|
I think this issue can be closed now. |
|
Hooray! Thanks @honnix ! |
This enables Dependabot to run every Tuesday at 10 AM (Stanford time), and notify us (by pull request) if a dependency has done an update. It's then on us to check if the update mandates a bump in our minimum required version for the dependency. Kudos to dependabot/dependabot-core#2133, dependabot/dependabot-core#2281, and dependabot/dependabot-core#3423 for enabling Dependabot support with `python.cfg` files!
|
Dependencies are still not being shown in my Dependencies Graph in GitHub. |
|
I still have repos that have dependencies specified in |
|
If you are looking for dependencies being listed in the dependencies graph in GitHub, this issue seems to be irrelevant: unfortunately they are not using dependabot for that.
Related:
|
|
I'm a little confused about this issue. The subject seems to imply that dependabot does not support dependencies in setup.cfg, but I use it regularly with |
|
Having your dependencies defined in setup.cfg and having the It is still recognising the other You can see by navigating to the Dependency graph section it completely doesn't see This is the problem. |
|
It's been mentioned before that apparently GitHub's Dependency graph doesn't use Dependabot. |
|
The following is specifically about github's dependency graph and |
This is still relevant. Somebody should probably close this issue 😄 |
|
Thanks @DanielNoord, I'll indeed close this out, please refer to https://github.com/orgs/github-community/discussions/6456 for discussion on support in the Dependency Graph (which as mentioned indeed currently does not share any implementation details with Dependabot) |
|
@DanielNoord While The really bad part is the overall status of dependabot and huge lagging behind everywhere. For example they do not support Yarn newer lock file formats even more than two years after these were introduced. I seen ourselves slowly moving away from dependabot for these reasons. It still works good for updating github actions, so it is not totally useless. For python, we do use it in a bit different approach, where is still usable. We use pip-compile (from pip-tools) to compile constraints files, which we name |
|
Agreed that lagging behind of I think one of the issues is that I do think we as Python community/ecosystem can help by providing clear test cases or repositories. For example in the PR mentioned above one of the issues is that we didn't find the correct test/pattern immediately. I can imagine that maintainers of |
It is build tools (flit-core, hatchling, setuptools, etc) that have gained or are gaining support to find the project metadata and dependencies in pyproject.toml instead of each defining its own config file. (pip also looks at pyproject.toml to know what build tool to install and call when building from source) |
Hi !
Ever since
setuptoolsstarted supporting setup configuration files, I've been using them instead of hardcoding configuration values in thesetup.pyscript. However, it does not seem like these files are supported by Dependabot right now.Adding support would be fairly simple: check for
setup.cfg, parse it as an INI configuration file, and check the value insetup_requires,tests_require, andinstall_requiresjust like arequirements.txtfile.I've been using Dependabot extensively for my Rust projects but this is stopping me from extending that to my Python projects as well. I'd love to see
setup.cfgsupport implemented!The text was updated successfully, but these errors were encountered: