dependabot-core
dependabot-core copied to clipboard
dependabot
The `increase` strategy should move ranges forward, not widen them
This was first noticed at https://github.com/dependabot/dependabot-core/issues/6625#issuecomment-1424140956.
Is there an existing issue for this?
- [X] I have searched the existing issues
Package ecosystem
Python (but not sure if it's specific to it, could be the same in other ecosystems)
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
pyproject.toml
[build-system]
requires = ["setuptools"]
build-backend = "setuptools.build_meta"
[project]
name = "lorem"
version = "2.5.0"
requires-python = ">=3.9,<4.0"
description = "Generator for random text that looks like Latin."
dependencies = [
"more-itertools>=8,<9",
]
requirements.txt
more-itertools==8.14.0
dependabot.yml content
version: 2
updates:
- package-ecosystem: pip
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 10
allow:
# Allow both direct and indirect updates for all packages
- dependency-type: "all"
versioning-strategy: increase
Updated dependency
more-itertools from 8.14.0 to 9.0.0
What you expected to see, versus what you actually saw
I saw
diff --git a/pyproject.toml b/pyproject.toml
index 788d44b..49a07c9 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -8,5 +8,5 @@ version = "2.5.0"
requires-python = ">=3.9,<4.0"
description = "Generator for random text that looks like Latin."
dependencies = [
- "more-itertools>=8,<9",
+ "more-itertools>=8,<10",
]
I would've expected
diff --git a/pyproject.toml b/pyproject.toml
index 788d44b..49a07c9 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -8,5 +8,5 @@ version = "2.5.0"
requires-python = ">=3.9,<4.0"
description = "Generator for random text that looks like Latin."
dependencies = [
- "more-itertools>=8,<9",
+ "more-itertools>=9,<10",
]
because the current behavior is widening, not increasing?
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
https://github.com/sanderr/inmanta-module-factory/pull/7/
Smallest manifest that reproduces the issue
No response
Minor comment: in the manifest before the update I think you've got a typo / copy-paste error: <10 should be <9.
I think it might actually be a duplicate of #6519
Actually, this one may be a bit broader than the other one. Same root cause but slightly different symptoms.
@deivid-rodriguez @abdulapopoola Hi. Is anything planned for this issue? We're suffering from this bug and need to increase the lower bound (actually, just standalone) of a >= dependency notation in setup.py
This issue was related to issue 6630 and 6632. I will take a look at them and see what I can come up with.
The issue has been reproduced internally and are currently analyzing the cause between the package manager and Dependabot.
The issue regarding lower bound is fixed. As mentioned in the document . The minimum version is going to be increased to match the new version.
Hi, thanks for looking into this. However, if I recall correctly this is a breaking change without an upgrade path for the old behavior. I believe #6630 should have been addressed first, and released before this one to not break users' flows.
My apologies to raise this issue so late. I'd mentioned it sometime before but I only now notice that it's not in this thread.
pologies to raise this issue so late.
Thank @sanderr . I am looking into the widening issue as well. I am planing to come up a sollution for widening and increase together.
@jeffwidman , @abdulapopoola
@kbukum1 just to make sure I understood correctly, can you confirm that no changes to the default versioning strategy (e.g. #10060) will be released before the fix for #6630? How about the other way around to allow for an upgrade path?
@sanderr ,
Sorry for late reply. I found a issue that will effect other strategies. Going to create changes for that. Reopening the issue and going to apply the changes.
@deivid-rodriguez, @sanderr,
I have created a Draft PR to ensure the changes apply only to the increase strategy. I would appreciate it if you could review it: Draft PR #10154.
I reviewed it to the best of my ability.
I have to confess I'm still unclear as to your plan with regards to #6630. The reason I ask is that we do some automated processing of dependabot pull requests. If a future release will change the default behavior from widen to increase, we will have to pause our automated processing before that release. And If I understand correctly (correct me if I'm wrong), your changes affect do exactly this: change the default behavior from widen to increase (by fixing increase, which is the default strategy).
So could you tell me what is the plan with regards to that? Will you release the change of default behavior like this (1), together with a fix for #6630 (2) or first release a fix for #6630 and then only release the changes to the default behavior in some future release (3)?
This is being closed as won't fix for now as we consider a deeper systemic fix.
