Dependabot submits pull requests with incompatible versions 📦

[hackebrot]

For some reason Dependabot only updates one of the requirements files that the application uses. This then causes the CI to fail for the pull request since we check for compatible dependencies. We then need to manually perform that dependency upgrade in the other requirements file.

See for example #251 for a dependency that is referenced in the following two files:

• application/dev-requirements.txt
• application/requirements.txt

[jklukas]

Is it possible to ensure that requirements.txt is preferred over dev-requirements.txt so that a dep only appears in one or the other file? Or does this come from pip-compile step, and typing-extensions is pulled in transitively from two different deps?

[hackebrot]

The latter is what's happening for typing_extensions. It's a direct dependency in application/setup.py, which means it's pinned in application/requirements.txt. We use the pip-tools layered workflow feature in application/dev-requirements.in. When then generate all dependencies (application and development) in application/dev-requirements.txt using pip-compile.

-c requirements.txt
pytest>=6.1.0
coverage[toml]>=5.3.0
mypy>=0.790
flake8>=3.8.4
black>=20.8b1
types-setuptools>=57.0.2

https://github.com/mozilla/burnham/blob/main/application/dev-requirements.in#L1