Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review Dependabot security alerts #579

Closed
inglesp opened this issue Jun 28, 2022 · 4 comments · Fixed by #596
Closed

Review Dependabot security alerts #579

inglesp opened this issue Jun 28, 2022 · 4 comments · Fixed by #596
Assignees
@rebkwok

Comments

@inglesp
Copy link
Contributor

inglesp commented Jun 28, 2022

No description provided.

@inglesp
Copy link
Contributor Author

inglesp commented Jun 28, 2022

See here: https://github.com/opensafely-core/databuilder/security/dependabot

@evansd
Copy link
Contributor

evansd commented Jun 28, 2022

This is confusing me because I would have expected all dependencies to be kept up to date by dependabot. It's certainly updating some things but clearly not everything.

Is it something to do with this?
https://github.com/opensafely-core/databuilder/blob/08b3895f79d155075d2c295f5d64619da14003ad/requirements.prod.in#L1

More research is needed ...

@rebkwok
Copy link
Contributor

rebkwok commented Jul 4, 2022

It looks like github is picking up the security updates from requirements.dev.txt and requirements.prod.txt, but dependabot uses pyproject.toml to look for version updates
https://github.com/opensafely-core/databuilder/network/dependencies

According to this page the default is to check explicitly defined dependencies for updates; possibly if we included

    allow:
      # Allow both direct and indirect updates for all packages
      - dependency-type: "all"

in the dependabot.yml, it would pick up indirect dependencies (e.g. the numpy is a dependency of pandas, not explicilty stated in the pyproject.toml).

@rebkwok rebkwok moved this from Next to In Progress in Data Team Jul 4, 2022
@rebkwok rebkwok self-assigned this Jul 4, 2022
@rebkwok
Copy link
Contributor

rebkwok commented Jul 4, 2022

Although, looking at the list of PRs that dependabot has created, I think it may in fact only be looking at the dev ones. Pandas was at v1.3.4 and the latest is 1.4.3 (which also pulls in the numpy version that the security update wants)

I thought I found issues that implied that dependabot did deal with pyproject.toml now, but maybe it only supports poetry dependencies?
This issue is still open and has references to updating the pyproject.toml parsing.
dependabot/dependabot-core#3290 (comment)

@rebkwok rebkwok mentioned this issue Jul 5, 2022
Merged
@rebkwok rebkwok moved this from In Progress to Under Review in Data Team Jul 5, 2022
Repository owner moved this from Under Review to Done in Data Team Jul 5, 2022
@StevenMaude StevenMaude mentioned this issue Jan 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rebkwok rebkwok

Labels
None yet
Projects
Data Team
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: upgrade python requirements opensafely-core/ehrql
3 participants
@evansd @inglesp @rebkwok