search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.58k stars 969 forks source link

Support for updating Poetry pyproject.toml, not just poetry.lock? #8603

Open glennmatthews opened 8 months ago

glennmatthews commented 8 months ago

Is there an existing issue for this?

Package ecosystem

poetry

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

/pyproject.toml, /poetry.lock

dependabot.yml content

Default configuration (no dependabot.yml)

Updated dependency

No response

What you expected to see, versus what you actually saw

Given that the documentation specifies that the default versioning-strategy for the Python ecosystem is auto, I'd expect Dependabot PRs to by default update pyproject.toml as per either theincrease or widen strategies.

Instead, only the poetry.lock is updated by Dependabot. This is of very limited usefulness since poetry.lock only influences what gets installed when working directly in the repository, and has no impact on the dependencies that are specified when packaging and distributing our code via PyPI. As a result, we almost always have to manually "fix up" Dependabot's pull requests (usually by pulling down the branch and manually running poetry add <dependency>~<new-version>) to include appropriate pyproject.toml updates in order to actually affect the packaging of our project.

I'm guessing that this may be because Dependabot states support for PEP 621 compliant pyproject.toml files, and Poetry's pyproject.toml is not currently PEP 621 compliant. But as an end user of Dependabot, it would be useful to have this variant file format supported as well.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

gshpychka commented 8 months ago

The docs don't even mention the capability to make updates to poetry.lock, making this even more confusing

watermarkhu commented 5 months ago

This will be solved if https://github.com/python-poetry/poetry-core/pull/708 is merged, which makes poetry PEP 621 Compliant

carlincherry commented 3 months ago

cc @carlincherry @cmrice