After this PR, ideally, dependabot will keep ticking over and updating our lock files with the latest versions compatible with our pyproject.toml.
There will then be a second job that lets us know of new major incompatible versions; we can treat these on a case-by-case basis and roll the changes out ourselves, based on the dependabot PRs.
I am hoping the dependabot config is flexible enough for this, otherwise we will have to rewrite lots of the constraints from our pyproject into the dependabot config file, for now.
Dependabot groups are also magic to me, my guess is that for the pip ecosystem, any dependency under the extra dev is treated as development, and all the rest are production, but thats not entirely clear to me yet (and its not documented).
After this PR, ideally, dependabot will keep ticking over and updating our lock files with the latest versions compatible with our pyproject.toml.
There will then be a second job that lets us know of new major incompatible versions; we can treat these on a case-by-case basis and roll the changes out ourselves, based on the dependabot PRs.
I am hoping the dependabot config is flexible enough for this, otherwise we will have to rewrite lots of the constraints from our pyproject into the dependabot config file, for now.
Dependabot groups are also magic to me, my guess is that for the
pip
ecosystem, any dependency under the extradev
is treated as development, and all the rest are production, but thats not entirely clear to me yet (and its not documented).