Support Poetry 1.5.1 poetry.lock with absence of category key #7418
Conversation
|
Another thought I had looking at this. In But Dependabot isn't actually operating against any version other than 1.5.1, so this To make it clear which version Dependabot is operating with. Then update PRs like #7350 don't need to widen, they just need to update this explicit version. Thoughts? |
|
The test failures are what I was afraid of. Looks like Dependabot has special logic on the So I think that the current Dependabot code will not work with a Poetry 1.5 lockfile and more needs to be done to make Dependabot compatible. EDIT - looks like more details on the |
|
I’m not exactly sure how this needs to change. It seems like this was designed to work in the absence of a pyproject.toml file, but now the dependency group information is only managed there. Should we move the check to just look at pyproject.toml instead? |
phillipuniverse
changed the title
|
I looked a bit more into this and we are butting up against multiple tech debt issues here with Poetry changing things. Since the category is removed from Determining the category from Here is a good example that illustrates the different ways to specify dependencies ( Support for group dependencies was added in this PR but works around the issue by continuing to rely on the Finally, there is some core GitHub integration at play to be able to parse out dependencies in the 'Insights' tab. This was called out at #6659 (comment) and something might have to change there depending on the reliance on This PR needs additional guidance from the Dependabot maintainers for how to proceed. |
phillipuniverse
force-pushed
the
poetry-1.5-lockfile
branch
from
9a06793
to
74e6e77
Compare
|
As far as the As to the issue with the |
|
@pavera thanks for the additional information! Specifically the Python 3.6 nuance, I had not considered how that worked but it makes perfect sense now how someone would get Poetry 1.1.15.
Definitely, I think that is the overall more stable approach. I can take this on. One clarifying question - how does Dependabot generally support package managers that have many categories? Since we were relying on the 'category' behavior before this treated all group dependencies as "dev" dependencies. Do we want to keep that behavior or is there a better way to mark different group dependencies as different categories in the Dependabot language? |
phillipuniverse
force-pushed
the
poetry-1.5-lockfile
branch
from
74e6e77
to
6519552
Compare
|
Started in on a candidate solution and ran into a problem - transitive dependencies. Transitive dependencies are in the |
|
@phillipuniverse I think the right solution is exactly what you are proposing, to actually work out the category from the transitive dependencies. However, maybe a first pass solution to this is to put all transitive dependencies into the According to the comment here on the poetry PR that removed the category key, defaulting to |
phillipuniverse
force-pushed
the
poetry-1.5-lockfile
branch
from
73e9a9a
to
e3503ab
Compare
|
If you want to know which category a dependency is in, could |
|
@jonathangreen thanks for additional info. I pushed up a relatively naive solution as you suggested, simply checking the existence of the dependency in As an aside, I think once the Python 3.6 (and potentially Python 3.7?) support is dropped in #7610, it's a good opportunity to look at the dependency category handling overall for Poetry support. There is still a lot of reliance on Remaining TODOs on this PR
The code as written is ready to review, I'm not planning on making many modifications. I'm pretty new to Ruby so I would appreciate readability suggestions! |
phillipuniverse
force-pushed
the
poetry-1.5-lockfile
branch
from
e3503ab
to
3065b16
Compare
| # This is how Poetry treats transitive dev dependencies, see discussion at https://github.com/python-poetry/poetry/pull/7637#issuecomment-1494272266 | ||
| # and https://github.com/dependabot/dependabot-core/pull/7418#issuecomment-1644012926 | ||
| is_expected.to eq([{ production: true }]) |
There was a problem hiding this comment.
@jonathangreen FYI this test was failing when there was no category key with the changes I made to put everything in the "main" dependencies. It looks like that even though from your comment in Poetry they mix it all together, we had a test that ensured this behavior.
Options:
- Finish out the search process where we walk the dependency tree trying to figure out if a transitive dependency belongs in dev or not, preserving this test case
- Have a divergence between when there is or is not a
categorykey. What this looks like to me is that Poetry used to put all the transitive dependencies in the correct category, which is why the version with thecategorykey marked it asproduction: false - Ignore the
categorykey altogether and move all dependencies intoproduction: true. In the current code changes, if there is acategorykey in the metadata I use it. If not, only then do I go and checkpyproject.toml
I think (3) is the most consistent with how Poetry treats the situation and is more forward-looking since Poetry has decided to ignore the category altogether.
Thoughts?
There was a problem hiding this comment.
Based on the latest review from @bdragon, option (2) is the expected behavior and this test should not have changed. Reverting.
Small nuance. For transitive dependencies locked with Poetry 1.5+, those should be treated as "production" dependencies, but if there is a category key then treat as that category.
There was a problem hiding this comment.
@phillipuniverse thanks for raising this!
Here is my understanding:
- if the dependency has a
categorykey in the lockfile, it was generated with Poetry <v1.5 and we use its value to determine the dependency group - if the dependency is in the main dependency group (i.e.,
tool.poetry.dependencies) inpyproject.toml, it stays that way - if the dependency is in the [legacy] dev dependency group (i.e.,
tool.poetry.dev-dependencies) inpyproject.toml, it stays that way - if the dependency is included in a dependency group other than the main one (e.g.,
tool.poetry.group.test.dependencies) inpyproject.toml, it goes in the dev dependencies group - if the dependency is transitive, it goes in the main dependencies group
tool.poetry.dev-dependencies has been deprecated since Poetry v1.2 and tool.poetry.group.dev.dependencies is preferred, but this is a separate concern.
Based on the conversation here, the changes in python-poetry/poetry#7637, and the Poetry docs—and given that we need to straddle Poetry versions 1.1 and 1.5—I think the solution proposed here looks pretty good.
I think we'd prefer to avoid traversing the dependency tree for every transitive dependency if possible, so defaulting to dependencies seems reasonable.
I went ahead and updated this branch with the latest main. It looks like you have one failing spec—if you don't mind getting that to pass, it'd be great to see this merged. Thanks!
We may not need to do that once we drop support for Python 3.6/3.7...
I am planning to look at this once August 17th rolls around and I can merge my long string of Python PR's... Can we hold off on merging this until then? There's a broader discussion we're starting to have internally about how old of versions we'll promise to support for package managers. So we'll also be trying to get some clarity there on how much we choose to support multiple versions vs telling users "we're not going to support older than N versions of So let's just put this on pause til August 17th and then re-open the discussion. |
keeping in mind that without this dependabot just flat out falls over on new |
|
@G-Rath yup - @jeffwidman today, all automated security updates in GitHub fail for projects that use Poetry >=1.5 without this PR. This has been exacerbated by Dependabot being updated to use Poetry 1.5 when emitting normal, non-security-related updates. Now that I have a bit more clarity on the final state, I can address the feedback that @bdragon suggested, we can fix the breakage in the GitHub/Dependabot ecosystem that exists today, then go for broader sweeping changes in tandem with the Python 3.8+ change. @jeffwidman does that change your mind at all or still think we need to wait? |
|
Thanks for the feedback. I didn't realize this was breaking everything for you folks, that sucks. Yeah, given that I'd also lean towards shipping this sooner, and then later cleaning up any cruft it introduces for supporting older versions of poetry. Let me take a deeper look at this on Monday before committing for sure though. |
phillipuniverse
force-pushed
the
poetry-1.5-lockfile
branch
from
814b985
to
b894b7d
Compare
|
FYI: I haven't forgotten, just got buried yesterday. My head is still deep in a different section of code but as soon as I wrap that up I'll be switching to coming up to speed on poetry and looking at this. |
There was a problem hiding this comment.
Latest changes has tests around the 1.5 lockfile and should be compatible with changes requested from @bdragon
| @@ -298,12 +298,32 @@ def update_dependency_requirement(toml_node, requirement) | |||
| end | |||
|
|
|||
| def subdep_type | |||
There was a problem hiding this comment.
I just happened to find this function unexpectedly searching around for subdep_type. Looks like this logic was always shared with the file updater, but it was small enough such that it made more sense to copy it vs extract into a utility function.
Since the logic for determining a "subdep_type" is getting larger, maybe it makes sense to refactor to a separate function? Another set of options:
- Refactor into a utility function and call from both places. Opinion on where this should go?
- Remove this modification since it's not specifically tackling the core issue and we are trying to be pretty targeted per other conversations
- Keep as-is
There was a problem hiding this comment.
You forgot to pass poetry_object around, and a real update seems to be still failing because of that. So this needs to be fixed before merging, and also signals some lack of coverage here.
I'll look into a good place for factoring out this method.
There was a problem hiding this comment.
I proposed #7826 to refactor this. We can rebase and adapt this PR to it, and should be all good.
phillipuniverse
force-pushed
the
poetry-1.5-lockfile
branch
2 times, most recently
from
550d4c0
to
84b5b92
Compare
jeffwidman
force-pushed
the
poetry-1.5-lockfile
branch
from
84b5b92
to
442fca8
Compare
phillipuniverse
force-pushed
the
poetry-1.5-lockfile
branch
from
442fca8
to
b7931f0
Compare
jeffwidman
force-pushed
the
poetry-1.5-lockfile
branch
from
b7931f0
to
508b350
Compare
jeffwidman
force-pushed
the
poetry-1.5-lockfile
branch
from
508b350
to
f8a2e0e
Compare
|
We just drop old Python support, and will now unconditionally run Poetry 1.5. However, I guess we'll need to keep the compatibility code in case we find an old lockfile anyways? We may not generate an ideal diff but that's an existing problem and I'm not sure completely dropping support for lockfiles generated with old Poetry versions would be an improvement. So I'd lean towards keeping it? |
|
Ok, so in the end I decided to go with a different approach at #7834, which I find cleaner and I believe should work better. @phillipuniverse I'm trying to add attribution to the commit but it just won't pick it up. Not sure what I'm doing wrong. |
Hm maybe... in the current situation, Dependabot will read the old version and then rewrite with 1.5+ anyway. Seems about the same as just erroring out with a message about only supporting Poetry 1.5+ 🤷
Definitely agree. I looked it over and this looks to be a more sustainable solution than what I had here. I really like the
@deivid-rodriguez I appreciate the attempt at attribution but honestly, nbd on my side. I'm just excited for my automated security updates to start working again!! Thanks for the care and attention! I'm going to go ahead and close this in favor of #7834. |
That's a good point, not necessarily better to keep opening PRs changing the lockfile format to 1.5+. However, that's an existing issue so I prefer to keep any fix focused on adding support 1.5+ lockfile format but keep the current behavior other than that. I also have the feeling that many users are aware of this issue but may be using Dependabot PRs as a way to upgrade their Poetry version to stop the format from changing back and forth.
Thanks for the kind words!
That's great, I'm still confused since it's the first time adding |
|
👋 I just want to say thanks again to everyone who chimed in on this issue providing additional context. I spent my afternoon reading poetry docs and learning it, and also understanding the issue here, and it was super helpful to have all the pointers everyone provided to historical context. I'm deploying #7834 shortly, and as long as that looks green I'll merge it to |
PR's are hopefully fixed by the time you read this.
|
@deivid-rodriguez @jeffwidman - just wanted to report that thanks to you guys, all of my automated security updates have started working again!! Thank you so much!! |
|
Awesome thanks for circling back to confirm! |
|
Same here. Thank you! Though I noticed one odd indirect dependency update where a package was downgraded. I hadn't seen that before, so just checking, is that expected? Edit: A few more cases |
Follow-up to the original Poetry 1.5 merge at #7350 and the smoke test updates at dependabot/smoke-tests#75. Removal of the category key happened in the 1.5.0 release at https://github.com/python-poetry/poetry/releases/tag/1.5.0.
Fixes #7389
Fixes #7641