🐈 Task: Push a lockfile to repo so Dependabot can patch security alerts automatically

ersilia-os / ersilia

The Ersilia Model Hub, a repository of AI/ML models for infectious and neglected disease research.

https://ersilia.io

GNU General Public License v3.0

224 stars 147 forks source link

🐈 Task: Push a lockfile to repo so Dependabot can patch security alerts automatically #1394

Closed DhanshreeA closed 1 hour ago

DhanshreeA commented 1 day ago

Summary

We have these security alerts from Dependabot, which it cannot patch automatically because of lack of a Lockfile. It appears this has happened since moving away from requirements.txt + setup.py way of managing dependencies to using a poetry backed pyproject.toml. As it states on the alerts, this should be resolvable by adding a Lockfile, so the bot can go back to creating PRs automatically.

Objective(s)

No response

Documentation

No response

DhanshreeA commented 1 day ago

Based on the discussion in this thread, it appears that dependabot only patches the lock file and not the pyproject.toml file. Therefore adding a lock file will only create more work for us and not really provide much benefit over manually updating the pyproject.toml file. This will be useful once this feature is actually resolved in dependabot (which in turn depends on a new poetry release), therefore this is not worth addressing until the next year.

DhanshreeA commented 23 hours ago

The referenced alerts are addressed here for now.