Dependabot creates PR for yanked python dependency #4411

h3llrais3r · 2021-11-15T20:25:24Z

Package ecosystem
pip poetry

Package manager version
poetry 1.1.11

Language version
Python 3.6

Manifest location and content prior to update
https://github.com/h3llrais3r/Auto-Subliminal/blob/development/pyproject.toml

dependabot.yml content

# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:

# Maintain dependencies for GitHub Actions
- package-ecosystem: github-actions
  directory: "/"
  target-branch: development
  schedule:
    interval: daily

# Maintain dependencies for pip (also includes poetry)
- package-ecosystem: pip
  directory: "/"
  schedule:
    interval: daily
  target-branch: development

# Maintain dependencies for npm
- package-ecosystem: npm
  directory: "/web/autosubliminal"
  target-branch: development
  schedule:
    interval: daily

Updated dependency
Bump gitpython from 3.1.18 to 3.1.20
h3llrais3r/Auto-Subliminal#565

What you expected to see, versus what you actually saw
Dependabot not creating a PR for a yanked version.
https://pypi.org/pypi/GitPython/3.1.20/json (marked as yanked)

Native package manager behavior

Images of the diff or a link to the PR, issue or logs

  proxy | 2021/11/15 18:55:06 [157] GET https://pypi.org:443/simple/pip/
  proxy | 2021/11/15 18:55:06 [157] 200 https://pypi.org:443/simple/pip/
  proxy | 2021/11/15 18:55:07 [159] GET https://pypi.org:443/pypi/gitpython/json
  proxy | 2021/11/15 18:55:07 [159] 301 https://pypi.org:443/pypi/gitpython/json
  proxy | 2021/11/15 18:55:07 [161] GET https://pypi.org:443/pypi/GitPython/json
  proxy | 2021/11/15 18:55:07 [161] 200 https://pypi.org:443/pypi/GitPython/json
  proxy | 2021/11/15 18:55:07 [163] GET https://pypi.org:443/pypi/gitpython/3.1.24/json
  proxy | 2021/11/15 18:55:07 [163] 301 https://pypi.org:443/pypi/gitpython/3.1.24/json
  proxy | 2021/11/15 18:55:07 [165] GET https://pypi.org:443/pypi/GitPython/3.1.24/json
  proxy | 2021/11/15 18:55:07 [165] 200 https://pypi.org:443/pypi/GitPython/3.1.24/json
  proxy | 2021/11/15 18:55:07 [167] GET https://pypi.org:443/pypi/gitpython/3.1.23/json
  proxy | 2021/11/15 18:55:07 [167] 301 https://pypi.org:443/pypi/gitpython/3.1.23/json
  proxy | 2021/11/15 18:55:07 [169] GET https://pypi.org:443/pypi/GitPython/3.1.23/json
  proxy | 2021/11/15 18:55:07 [169] 200 https://pypi.org:443/pypi/GitPython/3.1.23/json
  proxy | 2021/11/15 18:55:07 [171] GET https://pypi.org:443/pypi/gitpython/3.1.22/json
  proxy | 2021/11/15 18:55:07 [171] 301 https://pypi.org:443/pypi/gitpython/3.1.22/json
  proxy | 2021/11/15 18:55:07 [173] GET https://pypi.org:443/pypi/GitPython/3.1.22/json
  proxy | 2021/11/15 18:55:07 [173] 200 https://pypi.org:443/pypi/GitPython/3.1.22/json
  proxy | 2021/11/15 18:55:07 [175] GET https://pypi.org:443/pypi/gitpython/3.1.20/json
  proxy | 2021/11/15 18:55:07 [175] 301 https://pypi.org:443/pypi/gitpython/3.1.20/json
  proxy | 2021/11/15 18:55:08 [177] GET https://pypi.org:443/pypi/GitPython/3.1.20/json
  proxy | 2021/11/15 18:55:08 [177] 200 https://pypi.org:443/pypi/GitPython/3.1.20/json
  proxy | 2021/11/15 18:55:10 [179] GET https://pypi.org:443/pypi/autosubliminal/json/
  proxy | 2021/11/15 18:55:10 [179] 404 https://pypi.org:443/pypi/autosubliminal/json/
updater | INFO <job_233026321> Requirements to unlock own
  proxy | 2021/11/15 18:55:11 [181] GET https://pypi.org:443/pypi/autosubliminal/json/
  proxy | 2021/11/15 18:55:11 [181] 404 https://pypi.org:443/pypi/autosubliminal/json/
updater | INFO <job_233026321> Requirements update strategy bump_versions
  proxy | 2021/11/15 18:55:11 [183] GET https://pypi.org:443/pypi/autosubliminal/json/
  proxy | 2021/11/15 18:55:11 [183] 404 https://pypi.org:443/pypi/autosubliminal/json/
  proxy | 2021/11/15 18:55:11 [185] GET https://pypi.org:443/pypi/autosubliminal/json/
  proxy | 2021/11/15 18:55:11 [185] 404 https://pypi.org:443/pypi/autosubliminal/json/
  proxy | 2021/11/15 18:55:11 [187] GET https://pypi.org:443/pypi/autosubliminal/json/
  proxy | 2021/11/15 18:55:11 [187] 404 https://pypi.org:443/pypi/autosubliminal/json/
  proxy | 2021/11/15 18:55:11 [189] GET https://pypi.org:443/pypi/autosubliminal/json/
  proxy | 2021/11/15 18:55:11 [189] 404 https://pypi.org:443/pypi/autosubliminal/json/
updater | INFO <job_233026321> Updating gitpython from 3.1.18 to 3.1.20

The text was updated successfully, but these errors were encountered:

jeffwidman · 2022-09-14T07:12:11Z

We added custom logic to PoetryVersionResolver for handling yanked files here: 3338ede

However, that simply looks for a PackageNotFound error. So I think it's actually handling "deleted" rather than "yanked" packages.

In PEP-592, a "yanked" field was added to the API. So we need to ensure both our pip and poetry code paths handle whatever they do when a package was yanked.

Pip has had this for a while, but Poetry just got support in the recent 1.2 release: python-poetry/poetry#5841

h3llrais3r added the T: bug 🐞 Something isn't working label Nov 15, 2021

brrygrdn added L: python:poetry Python packages via poetry core 🍏 Relates to the dependabot-core library itself labels Nov 26, 2021

jeffwidman added the F: dependency-deprecations Detecting, avoiding or removing deprecated versions label Nov 24, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependabot creates PR for yanked python dependency #4411

Dependabot creates PR for yanked python dependency #4411

h3llrais3r commented Nov 15, 2021 •

edited

Loading

jeffwidman commented Sep 14, 2022 •

edited

Loading

Dependabot creates PR for yanked python dependency #4411

Dependabot creates PR for yanked python dependency #4411

Comments

h3llrais3r commented Nov 15, 2021 • edited Loading

jeffwidman commented Sep 14, 2022 • edited Loading

h3llrais3r commented Nov 15, 2021 •

edited

Loading

jeffwidman commented Sep 14, 2022 •

edited

Loading