Closed snejus closed 2 weeks ago
snejus
commented
2 weeks ago Fine with me (even though I'm not sure this really has any security impact). Was there a reason that we capped
blackat a specific minor version (24.3)?Since the format check was skipped in CI, it seems possible that changed
blackdefaults in version25might break our style checks which we can't see here.
Good point, let's make the workflow to get triggered by a change in poetry.lock too!
snejus
commented
2 weeks ago Now let me just figure out how to make flake8 ignore poetry.lock here 😅
snejus
commented
2 weeks ago I made the linting workflow to check the entire repository whenever poetry.lock is updated
Run poe check-format
Poe => black --check --diff --color .
All done! ✨ 🍰 ✨
191 files would be left unchanged.
Poe => isort --check --diff --color .
Skipped 1 filesIgnoring flake8-docstrings in aura.py before https://github.com/beetbox/beets/pull/5234 is merged
snejus
commented
2 weeks ago Since the format check was skipped in CI, it seems possible that changed black defaults in version 25 might break our style checks which we can't see here.
@wisp3rwind black version is constrained between >=24.3 and <25 so it can't be updated to 25, see pyproject.toml:
black = ">=24.3,<25"Relatedly,
Was there a reason that we capped black at a specific minor version (24.3)?
It's constrained at least or above this version, as indicated by the security vulnerability details
If you have a glance at poetry.lock you will find that the resolved version is 24.4.2.
snejus
commented
2 weeks ago Merging this in as I think I addressed your comments @wisp3rwind
wisp3rwind
commented
2 weeks ago I made the linting workflow to check the entire repository whenever
poetry.lockis updated
Nice!
@wisp3rwind
blackversion is constrained between>=24.3and<25so it can't be updated to25, seepyproject.toml:
Obviously, I wasn't sufficiently awake when I commented here yesterday 😅
See https://github.com/beetbox/beets/security/dependabot/7