search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.72k stars 1.02k forks source link

Consider Using asdf #5781

Open Kurt-von-Laven opened 2 years ago

Kurt-von-Laven commented 2 years ago

Is there an existing issue for this?

Code improvement description

Dependabot internally installs Python using pyenv, which releases with support for new Python versions approximately monthly. There is roughly comparable turnaround time for Dependabot to bump to the latest pyenv and Python versions, and Python often issues a patch release every 1-2 months. Taken together, this means that Dependabot rarely supports the latest version of Python. This is inherently problematic and will inevitably exacerbate the impact of Python security issues throughout the ecosystem. Ideally Dependabot would support the latest version of Python instantaneously upon its release. Furthermore, it means that users of Dependabot cannot use the version of Python pre-cached in GitHub-hosted runners, which is updated weekly. asdf can install the latest version of Python immediately upon its release, and there are asdf plugins for virtually every package manager, so Dependabot would no longer have to use separate package managers for separate package ecosystems.

jeffwidman commented 2 years ago

We could also investigate how Python is installed in the GitHub hosted runners... as they may have prior art we could copy.

pavera commented 2 years ago

@Kurt-von-Laven as you've driven at least a few python updates for us (many thanks!) wondering if you'd have an opinion or knowledge around the requirement for us to be running the same patch version of python as the given repo/project?

I'm working on #6079 and from the testing I've done it seems sufficient to match major.minor for the python version. This would allow us to both be more performant (as we'd not need to compile a new python just in time) and we'd get broader support with less work, as we would only need to update when a new major.minor is released. I'd love any feedback you might have on the approach on the above PR, especially around the concern raised by @deivid-rodriguez.

Kurt-von-Laven commented 2 years ago

Thanks for reaching out; this sounds like a great change, and I shared my thoughts on #6079.

github-actions[bot] commented 6 days ago

👋 This issue has been marked as stale because it has been open for 2 years with no activity. You can comment on the issue to hold stalebot off for a while, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.