Extras in python dependencies causes dependabot pip-compile resolver to miss updates
edwardpeek-crown opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
Package ecosystem
pip
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
dependabot.yml content
https://github.com/edwardpeek-crown/dependabot-extras-bug/blob/main/.github/dependabot.yml
Updated dependency
mypy 1.7.1 -> 1.10.0
What you expected to see, versus what you actually saw
Pinned mypy version does not update so long as it has the [reports] extra specifier in the source requirements:
2024/06/05 04:26:08 INFO <job_837648515> Checking if mypy 1.7.1 needs updating
2024/06/05 04:26:09 INFO <job_837648515> Latest version is 1.10.0
2024/06/05 04:26:39 INFO <job_837648515> Requirements to unlock update_not_possible
2024/06/05 04:26:39 INFO <job_837648515> Requirements update strategy bump_versions
2024/06/05 04:26:39 INFO <job_837648515> No update possible for mypy 1.7.1
Removing the extras specifier makes dependabot pick up the available update as expected.
Removing the --strip-extras option to pip-compileed pinned requirements to make extra appear there then causes dependabot errors with a "Content did not change" error similar to #8931
Native package manager behavior
Running pip-compile updates mypy to latest version
Images of the diff or a link to the PR, issue, or logs
Example dependabot output at https://github.com/edwardpeek-crown/dependabot-extras-bug/actions/runs/9378171244/job/25820946639
Smallest manifest that reproduces the issue
Minimal example repo at https://github.com/edwardpeek-crown/dependabot-extras-bug/
The python/spec/dependabot/python/file_updater/pip_compile_file_updater_spec.rb/with stripped extras test covers a similar situation, but without the .in file indirection.