Support PDM: https://github.com/frostming/pdm

[pawamoy]

I'd like to get Dependabot support for Python projects managed by PDM.

PDM is very similar in usage to Poetry, and also uses pyproject.toml, so it could be in conflict with the Poetry file updater 😕 It also has its own pdm.lock file.

Just opening for visibility, to see if others are interested 🙂

[pawamoy]

Coming back to this: PDM now supports PEP621+PEP631, which describe the standard way of declaring project metadata including dependencies and optional dependencies in pyproject.toml. More tools will follow (Flit just published experimental support), so it might be even more relevant to support PDM/PEP621 in dependabot :slightly_smiling_face:

Note however that PDM extends PEP621 with a [tool.pdm.dev-dependencies] section.

[pawamoy]

Has any dependabot maintainer had the chance to see this? The Python ecosystem is standardizing on PEP 621 (Storing project metadata in pyproject.toml), PEP 631 (Dependency specification in pyproject.toml based on PEP 508) and (hopefully soon) PEP 665 (A file format to list Python dependencies for reproducibility of an application).

Several projects would already benefit from dependabot support for at least PEP 631: flit, pdm, trampolim, etc.

[pawamoy]

Just saw #3290. This issue could be closed in its favor. Please upvote #3290 :slightly_smiling_face:

[jeffwidman]

Closing in favor of #3290 per the request ☝️ . It just so happens that #3290 has been fixed already, so this issue I assume has also been fixed 🎉

[deivid-rodriguez]

Actually, even if PDM does implement PEP621, it also has a lock file, so it introduced further complexities in that first version of PEP621 and we decided to exclude it explicitly. So let me reopen this since PDM is not yet fully supported unfortunately.

[baggiponte]

Hello, I was curious to know what kind of help you might need with this one. I never coded in Ruby, but I'd be glad to help. How did you manage to make it work for poetry? What are the missing pieces for pdm?

[commonism]

pdm allows using

[tool.pdm.dev-dependencies]
tests = [
…
]

to specify dependencies which are required for development only - these dependencies are not listed as runtime dependencies.

The dependencies may introduce requirements on regular dependencies - restricting versions. dependabot does not honor these version restrictions introduced by development dependencies

[hcoohb]

dependabot seems to still be ignoring pdm manged projects for version control PR... It does detect packages with vulnerabilities but fails to create a PR.

That would be amazing to have pdm fully supported. Is there any updates on the blockers? Thanks

[rooterkyberian]

Support of pdm.lock seems crucial to make Dependabot security scans & autoupdates viable for projects using pdm.lock, since even if pyproject.toml dependencies are understood, the version specifiers there are most often openended, so it thinks everything is up to date, while the "pdm.lock" contains some old versions and that is what is run in prod and needs to be watched.

A simple workaround to at least get proper alerts would be to export pdm.lock to locked-requirements.txt and scan that. Such process would can be error prone as it either requires manual action by dev every time pdm.lock is updated, or some GHA that commits into repo master on its own which is scary. It also would not and benefit of automatic Dependabot PRs.