[python] handling multiple requirements.txt like files or custom pip-compile commands? #3940
Comments
|
We're also looking for this addition; we separate out into |
|
It looks like there is a pip-compile package ecosystem now that I will have to check out: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#package-ecosystem Possible example: https://github.com/mozilla-releng/tooltool/blob/fb7d180f5c21286f443a709e57538643fd8b6707/.github/dependabot.yml For reference in my own work: I've had to start putting everything in Ex: pip-compile --extra=types --generate-hashes --no-emit-index-url --output-file=requirements.txt
pip-compile --allow-unsafe --extra=dev --extra=types --generate-hashes --no-emit-index-url --output-file=requirements-dev.txtrather than using I feel like I'm missing an obvious preference here where dependabot should be able to be fed a list of requirements files (as |
|
+1, it is extremely common to separate required, optional, documentation, linting, testing, and developer dependencies into separate files. Some examples:
We would love to do this in TorchGeo too so we don't have to install all required/optional/doc/linting/testing deps just to run flake8 during a test. |
|
Actually, I just tried this and it seems to work? Both Maybe this works fine but just isn't documented? |
|
@adamjstewart is that the right PR reference? |
|
Ah, it looks like dependabot force-pushed and overwrote the original commit after I moved one of those files to a different directory. The original commit edited both files. |
|
Yes, these days dependabot does not just trust the filename, but runs some checks to discover |
|
Could you update the docs to indicate that files besides requirements.txt will also be found? It wasn't clear until I dug around and found this thread. |
|
Hello @deivid-rodriguez, we have a single requirements.in that generates 2 different .txt files one using dependabot will only keep one of them updated, the non hashed one, the 1st in lexical order, not sure how it get chosen over the other, but it's constantly this one. |
|
Hei @JonathanRenon-EDB! I'm no longer part of the Dependabot team. I recommend to open a separate issue explaining your current problem, though. This has been closed for too long without complaints, fresh issue is better 👍. |
Package ecosystem
pip
Package manager version
pip 21.0.1
Language version
Python 3.8
Manifest location and content prior to update
dependabot.yml content
https://github.com/pycontribs/jira/blob/master/.github/dependabot.yml
Updated dependency
urllib
What you expected to see, versus what you actually saw
Of the two requirements files only one of them was updated.
We generate separate requirements for test and install using
pip-compile:https://github.com/pycontribs/jira/blob/f96495a6ca90b037c477761db3ad7a1cad0aaff0/tox.ini#L75
So it may be that we are using dependabot incorrectly for this setup.
Native package manager behavior
Not related to package resolution
Images of the diff or a link to the PR, issue or logs
pycontribs/jira#1064
🕹 Bonus points: Smallest manifest that reproduces the issue
I think have any two requirements files that specify the same package and dependabot would only update one
requirements.txt
test-requirements.txt
The text was updated successfully, but these errors were encountered: