search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.7k stars 1.02k forks source link

Support pip-compile-multi #536

Open peterdemin opened 6 years ago

peterdemin commented 6 years ago

Hi guys, check out this PR: https://github.com/peterdemin/pip-compile-multi/pull/17/files

It clearly didn't just bump the dependency version. I guess it's because I mix hard-pins with references to other requirements files.

greysteil commented 6 years ago

Sorry about that! I’ll take a look and get this fixed.

greysteil commented 5 years ago

Just looking at this again.

I think the issue here is that pip-compile-multi handle requiring in other .txt files differently to pip-compile, hence Dependabot stripping them out. Perhaps we should rename this issue to be support pip-comile-multi?

peterdemin commented 5 years ago

So I looked at this again too.

Honestly, I don't think, that Dependabot (or any other service) will be able to support pip-compile-multi in its current state. The main reason is that it's impossible to understand (by looking only at requirements files) how exactly they were generated in terms of python runtime, OS and CLI arguments. But if Dependabot supported some kind of configuration file, it will be actually viable and very flexible. I don't know, what should be the file format, but here, take a look at my tox.ini:

[testenv:upgrade2]
basepython = python2.7
deps = pip-compile-multi
commands =
    pip-compile-multi -n py27 -n local27
    pip-compile-multi -n py27 -n local27 -g py27 -g local27 -i txt -o hash

[testenv:upgrade3]
basepython = python3.6
deps = pip-compile-multi
commands =
    pip-compile-multi -n local -n testwin
    pip-compile-multi -n local -n testwin -g local -g testwin -i txt -o hash

I generate lock files with a command tox -e upgrade2 -e upgrade3. It produces 2 sets - with and without hashes.

But from SaaS perspective, it means, that you will be running arbitrary code on your platform... Rising security concerns.

What do you think?

greysteil commented 5 years ago

Yeah, I agree that's going to be too complicated for Dependabot!

We already have the isolation required to evaluate arbitrary code with Dependabot (we need it to evaluate setup.py files, for example) but it would be a significant change for us to position that as a features and support users giving us arbitrary commands. I don't want Dependabot to end up becoming a CI, so I think we might have to leave this one for now.

Thanks for your advice and feedback on it!

peterdemin commented 5 years ago

Actually, I just realized, that I can have pip-compile-multi running in CI on schedule and opening PRs when something changes.

tudoramariei commented 4 years ago

I think I can add two more PRs here where, in this case, dependabot was trying to update boto3 but at the same time tried to delete some packages PR#190 and PR#188 If we manually run our update command those lines stay there

davidism commented 4 years ago

I wanted to use pip-compile-multi along with Dependabot to automate coordinating pip-compile for multiple files in the Pallets projects (Flask, Jinja, Click, etc.). However, this issue still affects us, Dependabot replaces -r lines. I started with some smaller libraries so I caught this before it affected the larger ones. Here's a PR that demonstrates the issue: https://github.com/pallets/secure-cookie/pull/16/files

peterdemin commented 4 years ago

@greysteil returning to this issue, I think it's sensible for Dependabot to add basic support for projects using pip-compile-multi. pip-compile vs pip-compile-multi can be detected by the use of -r references in the lock files. One option is to run pip-compile-multi without arguments, using the current mainstream Python version. The more involved version is to parse the header, which looks like the following:

# To update, run:
#
#    pip-compile-multi
#

and use that line for the CLI options.

What do you think?

greysteil commented 4 years ago

I don't work on Dependabot any more (I work on GitHub's code scanning products now), but @infin8x, @feelepxyz, @jurre and the rest of the team will be able to help. They're heads down with the GitHub integration at the moment as far as I know, though, so please bear with them!.

PeterJCLaw commented 1 year ago

@infin8x just wondering if there's any movement on this and/or things that the community can do to help here? I've seen that dependabot isn't looking to support new ecosystems, though I'm not really sure what the boundary of an ecosystem is (is that e.g: Python as a whole or does pip-compile-multi count as an ecosystem?).

cc @peterdemin

Not having dependabot support (or an equivalent automatic updates regime) for pip-compile-multi makes using pip-compile-multi (rather than just pip-compile) less appealing, despite the other advantages that it offers. It would be really great if there was a solution in this space for pip-compile-multi.

infin8x commented 1 year ago

Hi there! Unfortunately I don't work on Dependabot anymore so I don't know the latest plans/thoughts on multi-ecosystem.

PeterJCLaw commented 1 year ago

Thanks for the quick reply. Any idea who might be a good person to ping about this? A quick look at recent releases suggests maybe @jakecoffman maybe knows about Python & Dependabot?

mistercrunch commented 7 months ago

@peterdemin or other maintainers, we'd like to contribute support for pip-compile-multi if we have validation that we have good odds of reviewed/merged, and maybe getting some guidance along the way. We looked into other options (native pip-compile, but need the features offered by pip-comile-multi).

peterdemin commented 7 months ago

I'm not a maintainer of dependabot. You should tag them instead