search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.69k stars 1.01k forks source link

Don't Remove Poetry Version From Lock File #7219

Closed Kurt-von-Laven closed 1 year ago

Kurt-von-Laven commented 1 year ago

Is there an existing issue for this?

Package ecosystem

pip

Package manager version

Poetry 1.4.2

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
updates:
  # Upgrade Poetry dependencies.
  - package-ecosystem: pip
    directory: /
    schedule:
      interval: daily
      time: "08:00"
      timezone: America/New_York
    open-pull-requests-limit: 1
    insecure-external-code-execution: deny
    allow:
      - dependency-type: development

Updated dependency

No response

What you expected to see, versus what you actually saw

Expected no modifications to first line of poetry.lock:

# This file is automatically @generated by Poetry 1.4.2 and should not be changed by hand.

Experienced modification to first line of poetry.lock:

# This file is automatically @generated by Poetry and should not be changed by hand.

Native package manager behavior

Poetry adds the version number back in when, for example poetry lock --no-update, has work to do. If there are no substantive changes to be written, then Poetry doesn't modify poetry.lock at all. Poetry started including the Poetry version in the lock file in Poetry 1.4.0: python-poetry/poetry#7339.

Images of the diff or a link to the PR, issue, or logs

--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.4.2 and should not be changed by hand.
+# This file is automatically @generated by Poetry and should not be changed by hand.

Smallest manifest that reproduces the issue

pyproject.toml:

[build-system]
requires = ["poetry-core>=1.5.2"]
build-backend = "poetry.core.masonry.api"

[tool]
  [tool.poetry]
  name = "Minimal Reproduction"
  version = "0.1.0"
  description = "Minimal Reproduction of Dependabot Issue"
  authors = ["Kurt von Laven <kurt.von.laven@gmail.com>"]

  [tool.poetry.dependencies]
  python = "==3.11.3"
danyeaw commented 1 year ago

I ran in to this as well with https://github.com/gaphor/gaphor/pull/2310. I think this is due to an older version of poetry being used, it looks like this PR would fix this issue: https://github.com/dependabot/dependabot-core/pull/6758

jeffwidman commented 1 year ago

Is this still happening @Kurt-von-Laven @danyeaw ?

Wondering if this was an upstream bug that no longer appears now that we're on poetry 1.5...

danyeaw commented 1 year ago

I expect that this is fixed by https://github.com/dependabot/dependabot-core/pull/7350

jeffwidman commented 1 year ago

Sg, will close for now and if you see it again comment and we can reopen.

Note that I haven't deployed that code yet, I'll probably do so tomorrow though.