ci: enhance dependabot config to track pip and cargo packages#658
ci: enhance dependabot config to track pip and cargo packages#658
Conversation
|
@kylebarron I am not sure what "/pyo3-bytes" and "/pyo3-object-stores" are used for and if they should also be bumped in the same way |
| - "minor" | ||
| - "patch" | ||
|
|
||
| - package-ecosystem: "uv" |
There was a problem hiding this comment.
What's the difference between package ecosystem uv and pip?
There was a problem hiding this comment.
Dependabot introduce uv support last year. The main difference is that pip tracks pyproject.toml but ignores uv.lock, leaving the lockfile out of sync after each Dependabot PR. Using uv tells Dependabot to use uv's own resolver and keep uv.lock in sync automatically.
There was a problem hiding this comment.
Do you have a preference on which one to use @kylebarron ?
There was a problem hiding this comment.
I think uv is always correct then, or else the uv.lock will be out of sync. I only use uv in all my projects
| - package-ecosystem: "uv" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
| day: "monday" | ||
| groups: | ||
| minor-and-patch: | ||
| applies-to: version-updates | ||
| patterns: | ||
| - "*" | ||
| update-types: | ||
| - "minor" | ||
| - "patch" | ||
|
|
||
| - package-ecosystem: "pip" | ||
| directory: "/obstore" | ||
| schedule: | ||
| interval: "weekly" | ||
| day: "monday" | ||
| groups: | ||
| minor-and-patch: | ||
| applies-to: version-updates | ||
| patterns: | ||
| - "*" | ||
| update-types: | ||
| - "minor" | ||
| - "patch" |
There was a problem hiding this comment.
Similar to developmentseed/lonboard#1162 (comment), do we need dependabot for python, where it's not forming part of a distributed application
Removed Cargo package ecosystems for pyo3-object_store and pyo3-bytes.
2 participants
Follow up from #647. Adding pip and cargo package to dependabot that should help quickly patch vulnerabilities in dependencies package