Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps-dev): bump gitpython from 3.1.31 to 3.1.32 #86

Closed
wants to merge 1 commit into from
Closed

build(deps-dev): bump gitpython from 3.1.31 to 3.1.32 #86

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 11, 2023

Bumps gitpython from 3.1.31 to 3.1.32.

Release notes

Sourced from gitpython's releases.

v3.1.32 - with another security update

What's Changed

New Contributors

Full Changelog: gitpython-developers/GitPython@3.1.31...3.1.32

Commits
  • 5d45ce2 prepare 3.1.32 release
  • ca965ec Merge pull request #1609 from Beuc/block-insecure-options-clone-non-multi
  • 5c59e0d Block insecure non-multi options in clone/clone_from
  • c09a71e Merge pull request #1606 from r-darwish/no-del
  • a3859ee fixes
  • 8186159 Don't rely on del
  • 741edb5 Merge pull request #1603 from eUgEntOptIc44/eugenoptic44-fix-pypi-long-descri...
  • 0c543cd Improve readability of README.md
  • 9cd7ddb Improve the 'long_description' displayed on pypi
  • 6fc11e6 update README to reflect the status quo on git command usage
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps-dev): bump gitpython from 3.1.31 to 3.1.32
ccd6262 
Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.31 to 3.1.32.
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](gitpython-developers/GitPython@3.1.31...3.1.32)

---
updated-dependencies:
- dependency-name: gitpython
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Aug 11, 2023
@codecov-commenter
Copy link

codecov-commenter commented Aug 11, 2023
edited
Loading

Codecov Report

Merging #86 (ccd6262) into main (f54e187) will not change coverage.
The diff coverage is n/a.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

Impacted file tree graph

@@           Coverage Diff           @@
##             main      #86   +/-   ##
=======================================
  Coverage   90.78%   90.78%           
=======================================
  Files          24       24           
  Lines        1389     1389           
  Branches      245      245           
=======================================
  Hits         1261     1261           
  Misses         93       93           
  Partials       35       35
Flag Coverage Δ
unittests 90.78% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

@haz
Copy link
Contributor

haz commented Aug 20, 2023

@marcofavorito @francescofuggitti What should we do with this and #85 ? In general, not sure what the best protocol is for these security-specific pipfile.lock stuff.

@marcofavorito
Copy link
Member

marcofavorito commented Aug 20, 2023
edited
Loading

@marcofavorito @francescofuggitti What should we do with this and #85 ? In general, not sure what the best protocol is for these security-specific pipfile.lock stuff.

The protocol should be as easy as merging the PR, so to keep Pipfile.lock always updated to the latest compatible version compliant with Pipfile.

However, handling multiple PR is not straightforward since when one is merged, the changes to the Pipfile.lock will conflict with the changes made by the other remaining pending PRs. This is handled by dependabot, either automatically or explicitly using @dependabot rebase (see the description above). When there are too many of these PRs, what I usually do is open a self-made PR with Pipfile.lock upgraded, hence including all the changes from the other PRs.

There is a feature request for merging the dependabot PRs into one: dependabot/dependabot-core#2265, but it seems blocked.

Another issue is that the current notification is for gitpython which is a development dependency. Arguably, keeping the dev-dependencies up-to-date is not as important as keeping the main dependencies up-to-date (from the perspective of the library user). We got this notification despite "by default only direct dependencies that are explicitly defined in a manifest are kept up to date by Dependabot version updates". It might be worth further investigation.

Not sure how to proceed from here. On the one hand, having the dependabot working will periodically notify us about some missing upgrades; this will require to process the PR periodically (either by hand, or merging-rebasing the PRs one by one). On the other hand, if we keep dependabot, we would have the PR page a bit dirty, without great benefits: in the end, pddl does not seem "security critical", that is, having the main release with an old lark or click versions should not harm.

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Sep 6, 2023

Superseded by #88.

@dependabot dependabot bot closed this Sep 6, 2023
@dependabot dependabot bot deleted the dependabot/pip/gitpython-3.1.32 branch September 6, 2023 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@codecov-commenter @haz @marcofavorito