Closed ocelotl closed 3 weeks ago
@ocelotl
I keep making comments but for some reason they are disappearing. Is there any implications for changing the requirements.txt files and removing .txt? Will pip install -r requirements still work? Won't this technically break users who have pip install -r requirements.txt in their builds?
@ocelotl
Apparently a lot of other language SIGs has switched to renovate for dependency checking. It allows for more granular configuration settings. Might be something worthwhile to look into.
We will have to make a request to add the action to our repo.
https://github.com/open-telemetry/community/issues?q=is%3Aissue+renovate+is%3Aclosed
Java config: https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/main/.github/renovate.json5
The ideal solution would be to configure dependabot in such a way that these files are ignored but this seems to be impossible right now:
Think we discussed this in the SIG, but I don't think this should be our aim. Ideally it would bump lockfile dependency versions for us and send a PR. Actually Renovate supports this with "lockfile maintenance" and I believe it works with pip-compile
if we can list out our test dependencies (not transitive dependencies) and let the tool manage the lockfile.
That said if you're if dependabot spam is really bad, I'm OK to do whatever workaround.
The ideal solution would be to configure dependabot in such a way that these files are ignored but this seems to be impossible right now:
Think we discussed this in the SIG, but I don't think this should be our aim. Ideally it would bump lockfile dependency versions for us and send a PR. Actually Renovate supports this with "lockfile maintenance" and I believe it works with
pip-compile
if we can list out our test dependencies (not transitive dependencies) and let the tool manage the lockfile.That said if you're if dependabot spam is really bad, I'm OK to do whatever workaround.
Yes, this is not an ideal solution, and we can definitely benefit from updating the versions of our test dependencies. This is a workaround and the dependabot spam is really bad.
Closing this PR in favor of finding a long-term solution to keep our test dependencies up to date as dicussed in the SIG.
Fixes #3873
The issue here is that dependabot is opening security alerts for dependencies that are in our
*requirements*txt
files. The ideal solution would be to configure dependabot in such a way that these files are ignored but this seems to be impossible right now:https://github.com/dependabot/dependabot-core/issues/2883 https://github.com/dependabot/dependabot-core/issues/1657
So, the proposed solution here is to rename all these files to something that is ignored by dependabot. This solution is less than ideal but it should work.