NiaPy icon indicating copy to clipboard operation
NiaPy copied to clipboard
verified publisher icon NiaOrg

Remove safety/pyup

Open zStupan opened this issue 2 years ago • 4 comments

There are currently 2 bots for updating dependencies set up for this repository: safety (pyup) and dependabot. Can someone please remove pyup?

Also I'm not sure the requirements.txt in the docs should be updated, at least not automatically, because those dependencies were pinned for a reason i. e. to ensure the docs build for readthedocs doesn't break.

zStupan avatar Nov 01 '23 07:11 zStupan

Hi, pyup webhook was deleted therefore it should no longer work.

Also I'm not sure the requirements.txt in the docs should be updated, at least not automatically, because those dependencies were pinned for a reason i. e. to ensure the docs build for readthedocs doesn't break.

Probably it is best to not automatically update the docs dependecies. Regarding the dependabot this was already done here or am I wrong?

I have also observed that some docs dependencies are also present in the pyproject.toml. Do we need them?

GregaVrbancic avatar Dec 19 '23 07:12 GregaVrbancic

Also, does anyone know why the dependabot updates only poetry.lock files like in PR #431 and #433? It should update pyproject.toml or am I wrong?

GregaVrbancic avatar Dec 19 '23 07:12 GregaVrbancic

I have also observed that some docs dependencies are also present in the pyproject.toml. Do we need them?

Yes, the requirements file in docs/ is used only when deploying to readthedocs. The docs dependencies in pyproject.toml are optional and are not installed by default, but can be installed for building the docs locally if need be.

Also, does anyone know why the dependabot updates only poetry.lock files like in PR https://github.com/NiaOrg/NiaPy/pull/431 and https://github.com/NiaOrg/NiaPy/pull/433? It should update pyproject.toml or am I wrong?

It's the default setting for libraries. Because when installing the library pip installs the latest compatible dependencies anyway, I think. This can be changed in the config file by setting versioning-strategy to "increase".

zStupan avatar Dec 19 '23 17:12 zStupan

Yes, the requirements file in docs/ is used only when deploying to readthedocs. The docs dependencies in pyproject.toml are optional and are not installed by default, but can be installed for building the docs locally if need be.

Great, this seems reasonable.

It's the default setting for libraries. Because when installing the library pip installs the latest compatible dependencies anyway, I think. This can be changed in the config file by setting versioning-strategy to "increase".

Oh, I see. However, lock file can cause quite some problems using different OS as well as with those optional dependencies. We should think through what is the most suitable strategy to use for dependabot.

GregaVrbancic avatar Dec 20 '23 06:12 GregaVrbancic