dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Support for Poetry 1.5 Source Priority

Open DanielRejniak opened this issue 2 years ago • 2 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Feature description

We currently updated to poetry to version 1.5 that introduced source priority. This has caused unexpected errors in our dependabot build. After further investigation of the dependabot-core codebase we think that there is no support for the latest poetry changes. ie (priorities) or the format produced by poetry is incompatible thus causing issue.

This is especialy important since the deprication messages outline the following

Warning: In a future version of Poetry, PyPI will be disabled automatically if at least one custom source is configured with another priority than 'explicit'. In order to avoid a breaking change and make your pyproject.toml forward compatible, add PyPI explicitly via 'poetry source add pypi'. By the way, this has the advantage that you can set the priority of PyPI as with any other source.

Addiitonlay suggesting to avoid using the secondary property and move over to the priority based sources.

Warning: Found deprecated priority 'secondary' for source ‘foo’ in pyproject.toml. Consider changing the priority to one of the non-deprecated values: 'default', 'primary', 'supplemental', 'explicit'.

I have raised an bug but I believe this could be escalated to a feature request : https://github.com/dependabot/dependabot-core/issues/7431

DanielRejniak avatar Jun 15 '23 12:06 DanielRejniak 

[[tool.poetry.source]]
url = "https://git.agilicus.com/api/v4/projects/328/packages/pypi/simple"
name = "common"
priority="primary"

[[tool.poetry.source]]
name = "PyPI"
priority = "primary"

this causes dependabot to break.

--------Check platform/messages gunicorn 20.1.0
/bot/vendor/ruby/3.1.0/gems/dependabot-python-0.232.0/lib/dependabot/python/helpers.rb:23:in `run_poetry_command': The Poetry configuration is invalid: (Dependabot::SharedHelpers::HelperSubprocessFailed)
  - [source.0] Additional properties are not allowed ('priority' was unexpected)
  - [source.1] Additional properties are not allowed ('priority' was unexpected)
  - [source.1] 'url' is a required property

donbowman avatar Oct 05 '23 19:10 donbowman

is anything happening here?

Rogalek avatar Jun 26 '24 10:06 Rogalek

Unable to reproduce

Repo: https://github.com/dsp-testing/python-dependabot-private-registry-issue-7440

pyproject.toml here

[tool.poetry]
name = "dependabot-jfrog-test"
version = "0.1.0"
description = ""
authors = ["Thavaa Hariharan <[email protected]>"]

[tool.poetry.dependencies]
requests = "2.32.2"
python = ">=3.8"

[[tool.poetry.source]]
name = "jfrog"
url = "https://jfrogghdemo.jfrog.io/artifactory/api/pypi/db-dependbot-python/simple"
priority = "primary"

[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"

.github/dependabot.yml used

version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    versioning-strategy: "increase"
    insecure-external-code-execution: allow
    schedule:
      interval: "weekly"
    registries:
      - python-artifactory

registries:
  python-artifactory:
    type: "python-index"
    url: "https://jfrogghdemo.jfrog.io/artifactory/api/pypi/db-dependbot-python/simple"
    username: "[email protected]"  # Store username in GitHub Secrets
    password: "${{ secrets.PYTHON_TOKEN }}"
    replaces-base: true

PR generated as expected https://github.com/dsp-testing/python-dependabot-private-registry-issue-7440/pull/1

Image

Note: Message you are seeing Poetry error message not a dependabot error message. Consider changing the priority to one of the non-deprecated values: 'default', 'primary', 'supplemental', 'explicit'.

thavaahariharangit avatar Sep 09 '25 14:09 thavaahariharangit