Closed ocelotl closed 3 weeks ago
lzchen
commented
1 month ago @ocelotl
I keep making comments but for some reason they are disappearing. Is there any implications for changing the requirements.txt files and removing .txt? Will pip install -r requirements still work? Won't this technically break users who have pip install -r requirements.txt in their builds?
lzchen
commented
1 month ago @ocelotl
Apparently a lot of other language SIGs has switched to renovate for dependency checking. It allows for more granular configuration settings. Might be something worthwhile to look into.
We will have to make a request to add the action to our repo.
https://github.com/open-telemetry/community/issues?q=is%3Aissue+renovate+is%3Aclosed
Java config: https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/main/.github/renovate.json5
aabmass
commented
1 month ago The ideal solution would be to configure dependabot in such a way that these files are ignored but this seems to be impossible right now:
Think we discussed this in the SIG, but I don't think this should be our aim. Ideally it would bump lockfile dependency versions for us and send a PR. Actually Renovate supports this with "lockfile maintenance" and I believe it works with pip-compile if we can list out our test dependencies (not transitive dependencies) and let the tool manage the lockfile.
That said if you're if dependabot spam is really bad, I'm OK to do whatever workaround.
ocelotl
commented
1 month ago The ideal solution would be to configure dependabot in such a way that these files are ignored but this seems to be impossible right now:
Think we discussed this in the SIG, but I don't think this should be our aim. Ideally it would bump lockfile dependency versions for us and send a PR. Actually Renovate supports this with "lockfile maintenance" and I believe it works with
pip-compileif we can list out our test dependencies (not transitive dependencies) and let the tool manage the lockfile.That said if you're if dependabot spam is really bad, I'm OK to do whatever workaround.
Yes, this is not an ideal solution, and we can definitely benefit from updating the versions of our test dependencies. This is a workaround and the dependabot spam is really bad.
ocelotl
commented
3 weeks ago Closing this PR in favor of finding a long-term solution to keep our test dependencies up to date as dicussed in the SIG.
Fixes #3873
The issue here is that dependabot is opening security alerts for dependencies that are in our
*requirements*txtfiles. The ideal solution would be to configure dependabot in such a way that these files are ignored but this seems to be impossible right now:https://github.com/dependabot/dependabot-core/issues/2883 https://github.com/dependabot/dependabot-core/issues/1657
So, the proposed solution here is to rename all these files to something that is ignored by dependabot. This solution is less than ideal but it should work.