dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.73k stars 1.02k forks source link

Support PDM: https://github.com/frostming/pdm #3190

Open pawamoy opened 3 years ago

pawamoy commented 3 years ago

I'd like to get Dependabot support for Python projects managed by PDM.

PDM is very similar in usage to Poetry, and also uses pyproject.toml, so it could be in conflict with the Poetry file updater 😕 It also has its own pdm.lock file.

Just opening for visibility, to see if others are interested 🙂

pawamoy commented 3 years ago

Coming back to this: PDM now supports PEP621+PEP631, which describe the standard way of declaring project metadata including dependencies and optional dependencies in pyproject.toml. More tools will follow (Flit just published experimental support), so it might be even more relevant to support PDM/PEP621 in dependabot :slightly_smiling_face:

Note however that PDM extends PEP621 with a [tool.pdm.dev-dependencies] section.

pawamoy commented 2 years ago

Has any dependabot maintainer had the chance to see this? The Python ecosystem is standardizing on PEP 621 (Storing project metadata in pyproject.toml), PEP 631 (Dependency specification in pyproject.toml based on PEP 508) and (hopefully soon) PEP 665 (A file format to list Python dependencies for reproducibility of an application).

Several projects would already benefit from dependabot support for at least PEP 631: flit, pdm, trampolim, etc.

pawamoy commented 2 years ago

Just saw #3290. This issue could be closed in its favor. Please upvote #3290 :slightly_smiling_face:

jeffwidman commented 2 years ago

Closing in favor of #3290 per the request ☝️ . It just so happens that #3290 has been fixed already, so this issue I assume has also been fixed 🎉

deivid-rodriguez commented 2 years ago

Actually, even if PDM does implement PEP621, it also has a lock file, so it introduced further complexities in that first version of PEP621 and we decided to exclude it explicitly. So let me reopen this since PDM is not yet fully supported unfortunately.

baggiponte commented 1 year ago

Hello, I was curious to know what kind of help you might need with this one. I never coded in Ruby, but I'd be glad to help. How did you manage to make it work for poetry? What are the missing pieces for pdm?

commonism commented 1 year ago

pdm allows using

[tool.pdm.dev-dependencies]
tests = [
…
]

to specify dependencies which are required for development only - these dependencies are not listed as runtime dependencies.

The dependencies may introduce requirements on regular dependencies - restricting versions. dependabot does not honor these version restrictions introduced by development dependencies

hcoohb commented 7 months ago

dependabot seems to still be ignoring pdm manged projects for version control PR... It does detect packages with vulnerabilities but fails to create a PR.

That would be amazing to have pdm fully supported. Is there any updates on the blockers? Thanks

rooterkyberian commented 4 months ago

Support of pdm.lock seems crucial to make Dependabot security scans & autoupdates viable for projects using pdm.lock, since even if pyproject.toml dependencies are understood, the version specifiers there are most often openended, so it thinks everything is up to date, while the "pdm.lock" contains some old versions and that is what is run in prod and needs to be watched.

A simple workaround to at least get proper alerts would be to export pdm.lock to locked-requirements.txt and scan that. Such process would can be error prone as it either requires manual action by dev every time pdm.lock is updated, or some GHA that commits into repo master on its own which is scary. It also would not and benefit of automatic Dependabot PRs.

DavidArmendariz commented 2 months ago

Any updates? PDM is important...

HoangNguyen689 commented 1 month ago

Is there any update here?