Skip to content

chore: pin dependencies and enable dependabot #388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

chore: pin dependencies and enable dependabot #388

wants to merge 5 commits into from

Conversation

josecorella
Copy link
Contributor

Description of changes:
Pins the following dependencies:
boto3, cryptography, attrs, wrapt
mock, pytest, pytest-cov, pytest-mock, bandit, doc8, flake8, pylint, black, isort

Why were those versions picked?
I picked these versions from the last successful github actions workflow.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Check any applicable:

  • Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

@josecorella josecorella marked this pull request as ready for review December 16, 2021 00:05
@josecorella josecorella requested a review from a team as a code owner December 16, 2021 00:05
texastony
texastony reviewed Dec 16, 2021
View reviewed changes
requirements.txt
Comment on lines -1 to +4
boto3>=1.10.0
cryptography>=2.5.0
attrs>=17.4.0
wrapt>=1.10.11
boto3==1.20.24
cryptography==36.0.1
attrs==21.2.0
wrapt==1.13.3
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that this is a bad idea. Why? Our customers now cannot use different versions of these dependencies in their environments. I recommend reverting the changes in this file.

texastony
texastony requested changes Dec 16, 2021
View reviewed changes
Copy link
Contributor

@texastony texastony left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Explicitly inform us that Dependabot will consider test/requirements.txt.

Undo your changes to requirements.txt. I would rather let dependabot tell us version XYZ has a security issue so use >=ABC then commit to pinning to these latest versions that our customer's may not have in their environments yet.
I favor flexible dependencies to accommodate our customers... but I could be wrong.

requirements.txt
Comment on lines -1 to +4
boto3>=1.10.0
cryptography>=2.5.0
attrs>=17.4.0
wrapt>=1.10.11
boto3==1.20.24
cryptography==36.0.1
attrs==21.2.0
wrapt==1.13.3
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that this is a bad idea. Why? Our customers now cannot use different versions of these dependencies in their environments. I recommend reverting the changes in this file.

.github/dependabot.yml
Comment on lines +1 to +20
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
target-branch: "mainline-1.x"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
target-branch: "mainline-2.x"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know if dependabot will make recommendations for any requirements file? Or will it only think about the requirements file in root directory and ignore test/requirements.txt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'll look at any requirements file, it's the same way with the ddbec-java repo. There are two pom.xml files, one in the root and one in sdk1/

@josecorella
Copy link
Contributor Author

Closing in favor of #389

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@texastony texastony texastony requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@josecorella @texastony