pypa
Dependabot support for dependencies in hatch environments
Something I’d like to have is dependabot support for dependencies in hatch environments, e.g. hatch.envs.test.dependencies.
Example dependencies section:
https://github.com/jorisroovers/gitlint/blob/7b0c255de3c3f51c62d8a182d7b1994450acf888/pyproject.toml#L83-L92
Related things I found:
-
I’ve read https://github.com/dependabot/dependabot-core/issues/3290, but AFAICT, that only pertains to top-level
dependenciesandoptional-dependencies(which works well in my experience). I couldn’t find any existing issue for environment-level dependency support within the hatch or dependabot projects, although I’d be surprised if I’m the first one asking? -
I also had a quick glance at hatch-requirements-txt with the idea of splitting the test dependencies back out in a
test-requirements.txtfile so dependabot can pick them up. However, this feels like a step backwards and I think hatch-requirements-txt actually only supports project-level dependencies too (so this wouldn’t work). -
I also found the workaround by using the
featuresoption (although #729 would need to be fixed since I useskip-install=True), but I prefer not to expose the development dependencies to users, even as optional dependencies.
Is this something you think will eventually be supported, or is there another workaround available? Thanks!
isn't that an issue that concerns the dependabot developers?
also, what is the use-case? i'm assuming that hatch environments are used for development purposes and thus i don't see the need to prevent shipping possibly insecure software to the public. i'm also assuming that developers choose reasonable version specifications and keep their environments up-to-date, the latter is something that hatch does regularly for the developer.
There's also https://github.com/juftin/hatch-pip-compile, which I'm using to generate my requirements.txt files for use by Dependabot.
