-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support pip-compile-multi #536
Comments
Sorry about that! I’ll take a look and get this fixed. |
Just looking at this again. I think the issue here is that |
So I looked at this again too. Honestly, I don't think, that Dependabot (or any other service) will be able to support
I generate lock files with a command But from SaaS perspective, it means, that you will be running arbitrary code on your platform... Rising security concerns. What do you think? |
Yeah, I agree that's going to be too complicated for Dependabot! We already have the isolation required to evaluate arbitrary code with Dependabot (we need it to evaluate Thanks for your advice and feedback on it! |
Actually, I just realized, that I can have |
I wanted to use pip-compile-multi along with Dependabot to automate coordinating pip-compile for multiple files in the Pallets projects (Flask, Jinja, Click, etc.). However, this issue still affects us, Dependabot replaces |
@greysteil returning to this issue, I think it's sensible for Dependabot to add basic support for projects using pip-compile-multi.
and use that line for the CLI options. What do you think? |
I don't work on Dependabot any more (I work on GitHub's code scanning products now), but @infin8x, @feelepxyz, @jurre and the rest of the team will be able to help. They're heads down with the GitHub integration at the moment as far as I know, though, so please bear with them!. |
It looks like dependabot has decided they won't support 'pip-compile-multi': dependabot/dependabot-core#536 But perhaps using 'pip-compile' gets us closer than 'pip' does?
@infin8x just wondering if there's any movement on this and/or things that the community can do to help here? I've seen that dependabot isn't looking to support new ecosystems, though I'm not really sure what the boundary of an ecosystem is (is that e.g: Python as a whole or does cc @peterdemin Not having dependabot support (or an equivalent automatic updates regime) for |
Hi there! Unfortunately I don't work on Dependabot anymore so I don't know the latest plans/thoughts on multi-ecosystem. |
Thanks for the quick reply. Any idea who might be a good person to ping about this? |
@peterdemin or other maintainers, we'd like to contribute support for pip-compile-multi if we have validation that we have good odds of reviewed/merged, and maybe getting some guidance along the way. We looked into other options (native pip-compile, but need the features offered by pip-comile-multi). |
I'm not a maintainer of dependabot. You should tag them instead |
Hi guys, check out this PR: https://github.com/peterdemin/pip-compile-multi/pull/17/files
It clearly didn't just bump the dependency version. I guess it's because I mix hard-pins with references to other requirements files.
The text was updated successfully, but these errors were encountered: