Pyup ignores maximum version number

[vdboor]

In the dependency Django >= 1.11.10,< 2.0, pyup suggests to upgrade this to Django==2.0.2. This seems a bit odd, as the project explicitly states it doesn't handle Django 2.0.

---

A similar thing happens with python version numbers, where pyup wants to upgrade non-python 2 compatible releases to a python3-only version:

ipython == 5.5.0; python_version < '3.0'
ipython >= 6.2.1; python_version >= '3.0'

Pyup suggests to install a python3 release: ipython==6.2.1; python_version < '3.0'

[jayfk]

Hey @vdboor :wave:

Do you have a requirements file I can take a look at to feed the debugger?

[vdboor]

Yes surely! Thanks for the quick response. You can find it at https://github.com/edoburu/django-project-template/pull/25/files

The gist is:

Django >= 1.11.10,< 2.0
ipython == 5.5.0; python_version < '3.0'
ipython >= 6.2.1; python_version >= '3.0'

[jayfk]

Ah! The bot isn't taking these ranges into account. It always pins the given dependency to make the build deterministic.

This way you are able to know exactly what release you are currently running (and what's the latest release) by simply looking at the requirements file. If you are using a range, the bot doesn't really know what you are currently running on your servers.

You can achieve the same thing using the bot like this:

Django==1.11.10 # pyup: <2.0
ipython==5.5.0; python_version < '3.0' # pyup: ignore
ipython==6.2.1; python_version >= '3.0'

This will tell the bot to update Django to anything lower than 2.0 and to ignore ipython for Python 2.7.

When using the latest Django LTS, it also makes sense to add an expiry date. More on that here: https://github.com/pyupio/pyup/issues/263