Dependabot flip-flop with python_full_version/python_version

[glensc]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pip, pipenv

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

It's becoming ridiculous already how dependabot fight with itself changing python_version to python_full_version and vice versa:

• https://github.com/Taxel/PlexTraktSync/commits/69dc149838db5c4f3cc36d886ad827ce9988a725/requirements.txt
  • python_full_version to python_version: Taxel/PlexTraktSync@69dc149
  • python_version to python_full_version Taxel/PlexTraktSync@dc86ef1
  • python_version < '4' to python_version < '4.0', drops python_version >= '3.6' Taxel/PlexTraktSync@31516d2
  • drops python_full_version < '4.0.0', python_version >= '3.6' Taxel/PlexTraktSync@bd3501d

....and so on!

and typically the changes are not even for packages that are being bumped.

the same changes are visible in Pipfile.lock in same commits as well.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[glensc]

my guess is that dependabot is running different versions of pipenv or python versions which is causing this.

but pipenv lock hasn't been updated for a while:

• https://github.com/dependabot/dependabot-core/commits/cf448a99d35d7956f4c64b8249029324c9627a91/python/helpers/requirements.txt

I don't know that's the place for the pin that is used to run pip/pipenv updates, but it might be.

[jeffwidman]

Thanks for the report. This needs fixing, and your description made me 😄 :

ridiculous already how dependabot fight with itself

Not sure of root cause, but your hunch sounds reasonable as a starting place.

[glensc]

I think you should update pipenv:

• python_full_version vs python_version pypa/pipenv#5499 (comment)

at least the problem i reported there did not repeat with 2022.9.24

[deivid-rodriguez]

Yeah, I already start that at #6104, but it's a tricky upgrade so it may take us some time.

[glensc]

Unbelievable. it also removes version markers now:

• Taxel/PlexTraktSync@bc6d084 (#1301)

because it decided to write:

-            "markers": "python_version <= '3.7'",
+            "index": "pypi",

This is also fixed in newer pipenv or not yet reported?

[glensc]

Is this the same problem?

Removing attributes may damage distribution, if it drops the version range. see commit where I restored it manually:

• Taxel/PlexTraktSync@9ecd9d7

[jeffwidman]

This will hopefully be fixed by:

• Bump pipenv from 2022.4.8 to 2023.7.23 in /python/helpers #7715

[deivid-rodriguez]

Can you verify if the recent update of pipenv has fixed thanks? Thanks for all the pipenv reports and patience 🙏.

[deivid-rodriguez]

Assuming this got fixed since we got no further feedback.