Giters

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.

Home Page:https://docs.github.com/en/code-security/dependabot

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Dependabot not updating grouped dependencies with Poetry

cecheta opened this issue · comments

commented

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

poetry

Package manager version

1.8.3

Language version

3.10.13

Manifest location and content before the Dependabot update

  • /pyproject.toml
  • /poetry.lock

dependabot.yml content

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      langchain:
        patterns:
          - "langchain*"

Updated dependency

langchain : 0.1.20 -> 0.2.1
langchain-community : 0.1.20 -> 0.2.1

What you expected to see, versus what you actually saw

Expected behaviour: Because both dependencies are in the same group, they should be both updated to the latest version (0.2.1), in the same PR.

Actual behaviour: No updates or PRs raised.

Native package manager behavior

The packages can't be updated individually due to incompatibility:

poetry add langchain@0.2.1

Updating dependencies
Resolving dependencies... (0.0s)
Resolving dependencies... (0.1s)
Because langchain (0.2.1) depends on langchain-core (>=0.2.0,<0.3.0)
 and langchain-community (0.0.38) depends on langchain-core (>=0.1.52,<0.2.0), langchain (0.2.1) is incompatible with langchain-community (0.0.38).
So, because non-package-mode depends on both langchain-community (0.0.38) and langchain (0.2.1), version solving failed.

However, they can be updated together

poetry add langchain@0.2.1 langchain-community@0.2.1

Updating dependencies
Resolving dependencies... (0.2s)

Package operations: 0 installs, 4 updates, 0 removals

  - Updating langchain-core (0.1.52 -> 0.2.1)
  - Updating langchain-text-splitters (0.0.2 -> 0.2.0)
  - Updating langchain (0.1.20 -> 0.2.1)
  - Updating langchain-community (0.0.38 -> 0.2.1)

Writing lock file

Images of the diff or a link to the PR, issue, or logs

dependabot logs.txt

Smallest manifest that reproduces the issue

dependabot-bug-master.zip