The issue seems as a result of I need my dependencies to be up-to-date. For this, I’ve configured Dependabot to observe for brand new variations of dependencies listed in necessities.txt. When such an occasion happens, it open a PR in my repo. More often than not, the PR works like a allure, however in a couple of instances, an error happens once I run the script after I merge. It seems like the next:
ERROR: libfoo 1.0.0 has requirement libbar<2.5,>=2.0, however you may have libbar 2.5 which is incompatible.
The issue is that Dependabot opens a PR for each library listed. However a brand new library model could be launched, which falls outdoors the vary of compatibility.
Think about the next state of affairs. My venture wants the libfoo dependency. In flip, libfoo requires the libbar dependency. At set up time, pip makes use of the newest model of libfoo and the newest appropriate model of libbar. The ensuing necessities.txt is:
necessities.txt
libfoo==1.0.0
libbar==2.0The whole lot works as anticipated. After some time, Dependabot runs and finds that libbar has launched a brand new model, e.g., 2.5. Faithfully, it opens a PR to merge the next change:
necessities.txt
libfoo==1.0.0
libbar==2.5Whether or not the above problem seems relies upon solely on how libfoo 1.0.0 specified its dependency in setup.py. If 2.5 falls throughout the appropriate vary, it really works; if not, it gained’t.
