Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support pip-compile-multi #536

Open
peterdemin opened this issue Jun 13, 2018 · 14 comments
Open

Support pip-compile-multi #536

peterdemin opened this issue Jun 13, 2018 · 14 comments
Labels
L: python:pip Python packages via pip T: new-ecosystem Requests for new ecosystems/languages

Comments

@peterdemin
Copy link

Hi guys, check out this PR: https://github.com/peterdemin/pip-compile-multi/pull/17/files

It clearly didn't just bump the dependency version. I guess it's because I mix hard-pins with references to other requirements files.
@greysteil
Copy link
Contributor

Sorry about that! I’ll take a look and get this fixed.

@greysteil
Copy link
Contributor

Just looking at this again.

I think the issue here is that pip-compile-multi handle requiring in other .txt files differently to pip-compile, hence Dependabot stripping them out. Perhaps we should rename this issue to be support pip-comile-multi?

@peterdemin
Copy link
Author

peterdemin commented Nov 30, 2018
edited
Loading

So I looked at this again too.

Honestly, I don't think, that Dependabot (or any other service) will be able to support pip-compile-multi in its current state. The main reason is that it's impossible to understand (by looking only at requirements files) how exactly they were generated in terms of python runtime, OS and CLI arguments.
But if Dependabot supported some kind of configuration file, it will be actually viable and very flexible.
I don't know, what should be the file format, but here, take a look at my tox.ini:

[testenv:upgrade2]
basepython = python2.7
deps = pip-compile-multi
commands =
    pip-compile-multi -n py27 -n local27
    pip-compile-multi -n py27 -n local27 -g py27 -g local27 -i txt -o hash

[testenv:upgrade3]
basepython = python3.6
deps = pip-compile-multi
commands =
    pip-compile-multi -n local -n testwin
    pip-compile-multi -n local -n testwin -g local -g testwin -i txt -o hash

I generate lock files with a command tox -e upgrade2 -e upgrade3. It produces 2 sets - with and without hashes.

But from SaaS perspective, it means, that you will be running arbitrary code on your platform... Rising security concerns.

What do you think?

@greysteil
Copy link
Contributor

greysteil commented Nov 30, 2018
edited
Loading

Yeah, I agree that's going to be too complicated for Dependabot!

We already have the isolation required to evaluate arbitrary code with Dependabot (we need it to evaluate setup.py files, for example) but it would be a significant change for us to position that as a features and support users giving us arbitrary commands. I don't want Dependabot to end up becoming a CI, so I think we might have to leave this one for now.

Thanks for your advice and feedback on it!

@peterdemin
Copy link
Author

Actually, I just realized, that I can have pip-compile-multi running in CI on schedule and opening PRs when something changes.

@stale stale bot added the wontfix label Oct 23, 2019
@feelepxyz feelepxyz added T: feature-request Requests for new features and removed wontfix labels Oct 23, 2019
@tudoramariei
Copy link

I think I can add two more PRs here where, in this case, dependabot was trying to update boto3 but at the same time tried to delete some packages PR#190 and PR#188
If we manually run our update command those lines stay there

@peterdemin peterdemin mentioned this issue May 14, 2020
Merged
@davidism
Copy link

I wanted to use pip-compile-multi along with Dependabot to automate coordinating pip-compile for multiple files in the Pallets projects (Flask, Jinja, Click, etc.). However, this issue still affects us, Dependabot replaces -r lines. I started with some smaller libraries so I caught this before it affected the larger ones. Here's a PR that demonstrates the issue: https://github.com/pallets/secure-cookie/pull/16/files

@peterdemin
Copy link
Author

@greysteil returning to this issue, I think it's sensible for Dependabot to add basic support for projects using pip-compile-multi.
pip-compile vs pip-compile-multi can be detected by the use of -r references in the lock files.
One option is to run pip-compile-multi without arguments, using the current mainstream Python version.
The more involved version is to parse the header, which looks like the following:

# To update, run:
#
#    pip-compile-multi
#

and use that line for the CLI options.

What do you think?

@greysteil
Copy link
Contributor

I don't work on Dependabot any more (I work on GitHub's code scanning products now), but @infin8x, @feelepxyz, @jurre and the rest of the team will be able to help. They're heads down with the GitHub integration at the moment as far as I know, though, so please bear with them!.

This was referenced May 18, 2020
Merged
Merged
Merged
@peterdemin peterdemin mentioned this issue Jun 11, 2020
Open
@infin8x infin8x added L: python:pip Python packages via pip T: new-ecosystem Requests for new ecosystems/languages and removed T: feature-request Requests for new features labels Jul 2, 2020
@infin8x infin8x changed the title Messing up Python locked requirements Support pip-compile-multi Jul 2, 2020
ahal added a commit to mozilla-releng/tooltool that referenced this issue Oct 15, 2021
@ahal
Update dependabot.yml to use 'pip-compile' ecosystem
fb7d180 
It looks like dependabot has decided they won't support 'pip-compile-multi':
dependabot/dependabot-core#536

But perhaps using 'pip-compile' gets us closer than 'pip' does?
@stevejalim stevejalim mentioned this issue Feb 28, 2022
Closed
4 tasks
@dependabot dependabot deleted a comment from stale bot Dec 22, 2022
@miteshashar miteshashar mentioned this issue Feb 23, 2023
Merged
@PeterJCLaw
Copy link

@infin8x just wondering if there's any movement on this and/or things that the community can do to help here? I've seen that dependabot isn't looking to support new ecosystems, though I'm not really sure what the boundary of an ecosystem is (is that e.g: Python as a whole or does pip-compile-multi count as an ecosystem?).

cc @peterdemin

Not having dependabot support (or an equivalent automatic updates regime) for pip-compile-multi makes using pip-compile-multi (rather than just pip-compile) less appealing, despite the other advantages that it offers. It would be really great if there was a solution in this space for pip-compile-multi.

@infin8x
Copy link
Contributor

infin8x commented Jun 4, 2023

Hi there! Unfortunately I don't work on Dependabot anymore so I don't know the latest plans/thoughts on multi-ecosystem.

@PeterJCLaw
Copy link

Thanks for the quick reply. Any idea who might be a good person to ping about this?
A quick look at recent releases suggests maybe @jakecoffman maybe knows about Python & Dependabot?

@rossmcewan rossmcewan mentioned this issue Jun 20, 2023
Open
@MaxMood96 MaxMood96 mentioned this issue Jun 22, 2023
Open
@mistercrunch
Copy link

@peterdemin or other maintainers, we'd like to contribute support for pip-compile-multi if we have validation that we have good odds of reviewed/merged, and maybe getting some guidance along the way. We looked into other options (native pip-compile, but need the features offered by pip-comile-multi).

@peterdemin
Copy link
Author

I'm not a maintainer of dependabot. You should tag them instead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: python:pip Python packages via pip T: new-ecosystem Requests for new ecosystems/languages
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@feelepxyz @PeterJCLaw @infin8x @mistercrunch @greysteil @davidism @peterdemin @tudoramariei