Python version being switched from exact to tilde version

[Dresdn]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pip

Package manager version

Poetry 1.2.1

Language version

Python 3.9.15

Manifest location and content before the Dependabot update

poetry.lock

[metadata]
lock-version = "1.1"
python-versions = "3.9.15"
content-hash = "fd6fc6f4059782a6eb9e54c3f01d79433176e9ec18b525e6578641cc3369e98d"

pyproject.toml used to trigger an update:

[tool.poetry.dependencies]
python = "3.9.15"
Flask = "2.1.0"


[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"

Updated dependency

Flask 2.1.0 -> 2.2.2

What you expected to see, versus what you actually saw

I expect the Flask dependency to be updated to 2.2.2, but not have the python-versions change.

The Dependabot changed poetry.lock file contains:

[metadata]
lock-version = "1.1"
python-versions = "~3.9"
content-hash = "72b14837467ed77c01c43c1a6727e9c2e3ba4dcbf51f6a23da7d3fe48c805a6b"

Native package manager behavior

Changing Flask to be 2.2.2 in the pyproject.toml and running poetry lock produces the following:

[metadata]
lock-version = "1.1"
python-versions = "3.9.15"
content-hash = "72b14837467ed77c01c43c1a6727e9c2e3ba4dcbf51f6a23da7d3fe48c805a6b"

Note the python-versions is correct.

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[Dresdn]

Quick note that this is for a GitLab project, so I'm using dependabot-gitlab v0.33.0, which is using v0.215.0

gem "dependabot-omnibus", "~> 0.215.0"

[deivid-rodriguez]

Can you provide complete manifest files to be able to reproduce the issue? Also, feel free to try latest main in case it's fixed there.

[Dresdn]

Absolutely. Here are both the pyproject.toml and lockfile.
Archive.zip

I'll give trying with main a whirl too.

[deivid-rodriguez]

Thank you, will have a look!

[Dresdn]

@deivid-rodriguez - Just a note that I checked the latest development build, and the same behavior is happening.

I setup a sample project at https://github.com/Dresdn/awesome-project-6462 that is demonstrating the behavior.

Diff generated from development build sha256:4cb8ba64915f7937e1e1a133ff0089323b0c1d55c07dcbc8e703984be373eb33:

 => updating flask from 2.1.0 to 2.2.2

    ± pyproject.toml
    ~~~
    11c11
    < Flask = "2.1.0"
    ---
    > Flask = "2.2.2"
    ~~~

    ± poetry.lock
    ~~~
    0a1,2
    > # This file is automatically @generated by Poetry and should not be changed by hand.
    >
    7a10,13
    > files = [
    >     {file = "click-8.1.3-py3-none-any.whl", hash = "sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48"},
    >     {file = "click-8.1.3.tar.gz", hash = "sha256:7682dc8afb30297001674575ea00d1814d808d6a36af415a82bd481d37ba7b8e"},
    > ]
    18a25,28
    > files = [
    >     {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"},
    >     {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"},
    > ]
    21,22c31,32
    < name = "Flask"
    < version = "2.1.0"
    ---
    > name = "flask"
    > version = "2.2.2"
    26a37,40
    > files = [
    >     {file = "Flask-2.2.2-py3-none-any.whl", hash = "sha256:b9c46cc36662a7949f34b52d8ec7bb59c0d74ba08ba6cb9ce9adc1d8676d9526"},
    >     {file = "Flask-2.2.2.tar.gz", hash = "sha256:642c450d19c4ad482f96729bd2a8f6d32554aa1e231f4f6b4e7e5264b16cca2b"},
    > ]
    30c44
    < importlib-metadata = {version = "*", markers = "python_version < \"3.10\""}
    ---
    > importlib-metadata = {version = ">=3.6.0", markers = "python_version < \"3.10\""}
    33c47
    < Werkzeug = ">=2.0"
    ---
    > Werkzeug = ">=2.2.2"
    45a60,63
    > files = [
    >     {file = "importlib_metadata-6.0.0-py3-none-any.whl", hash = "sha256:7efb448ec9a5e313a57655d35aa54cd3e01b7e1fbcf72dce1bf06119420f5bad"},
    >     {file = "importlib_metadata-6.0.0.tar.gz", hash = "sha256:e354bedeb60efa6affdcc8ae121b73544a7aa74156d047311948f6d711cd378d"},
    > ]
    61a80,83
    > files = [
    >     {file = "itsdangerous-2.1.2-py3-none-any.whl", hash = "sha256:2c2349112351b88699d8d4b6b075022c0808887cb7ad10069318a8b0bc88db44"},
    >     {file = "itsdangerous-2.1.2.tar.gz", hash = "sha256:5dbbc68b317e5e42f327f9021763545dc3fc3bfe22e6deb96aaf1fc38874156a"},
    > ]
    69a92,95
    > files = [
    >     {file = "Jinja2-3.1.2-py3-none-any.whl", hash = "sha256:6088930bfe239f0e6710546ab9c19c9ef35e29792895fed6e6e31a023a182a61"},
    >     {file = "Jinja2-3.1.2.tar.gz", hash = "sha256:31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852"},
    > ]
    84,141c110
    <
    < [[package]]
    < name = "Werkzeug"
    < version = "2.2.2"
    < description = "The comprehensive WSGI web application library."
    < category = "main"
    < optional = false
    < python-versions = ">=3.7"
    <
    < [package.dependencies]
    < MarkupSafe = ">=2.1.1"
    <
    < [package.extras]
    < watchdog = ["watchdog"]
    <
    < [[package]]
    < name = "zipp"
    < version = "3.11.0"
    < description = "Backport of pathlib-compatible object wrapper for zip files"
    < category = "main"
    < optional = false
    < python-versions = ">=3.7"
    <
    < [package.extras]
    < docs = ["furo", "jaraco.packaging (>=9)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)"]
    < testing = ["flake8 (<5)", "func-timeout", "jaraco.functools", "jaraco.itertools", "more-itertools", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=1.3)", "pytest-flake8", "pytest-mypy (>=0.9.1)"]
    <
    < [metadata]
    < lock-version = "1.1"
    < python-versions = "3.9.16"
    < content-hash = "4ffae8120491662d5851ad0882168c5daa4c6b51e4d0f36dd7fbb7d4a0321de7"
    <
    < [metadata.files]
    < click = [
    <     {file = "click-8.1.3-py3-none-any.whl", hash = "sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48"},
    <     {file = "click-8.1.3.tar.gz", hash = "sha256:7682dc8afb30297001674575ea00d1814d808d6a36af415a82bd481d37ba7b8e"},
    < ]
    < colorama = [
    <     {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"},
    <     {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"},
    < ]
    < Flask = [
    <     {file = "Flask-2.1.0-py3-none-any.whl", hash = "sha256:e4c69910f6a096cc57e4ee45b7ba9afafdcad4cc571db6eb97d5bd01b95422ea"},
    <     {file = "Flask-2.1.0.tar.gz", hash = "sha256:c4dd4a3d8fcae9f892e3f61edfbb1d3cdf9ac03dc72ea1bf8d5c6c964a669674"},
    < ]
    < importlib-metadata = [
    <     {file = "importlib_metadata-6.0.0-py3-none-any.whl", hash = "sha256:7efb448ec9a5e313a57655d35aa54cd3e01b7e1fbcf72dce1bf06119420f5bad"},
    <     {file = "importlib_metadata-6.0.0.tar.gz", hash = "sha256:e354bedeb60efa6affdcc8ae121b73544a7aa74156d047311948f6d711cd378d"},
    < ]
    < itsdangerous = [
    <     {file = "itsdangerous-2.1.2-py3-none-any.whl", hash = "sha256:2c2349112351b88699d8d4b6b075022c0808887cb7ad10069318a8b0bc88db44"},
    <     {file = "itsdangerous-2.1.2.tar.gz", hash = "sha256:5dbbc68b317e5e42f327f9021763545dc3fc3bfe22e6deb96aaf1fc38874156a"},
    < ]
    < Jinja2 = [
    <     {file = "Jinja2-3.1.2-py3-none-any.whl", hash = "sha256:6088930bfe239f0e6710546ab9c19c9ef35e29792895fed6e6e31a023a182a61"},
    <     {file = "Jinja2-3.1.2.tar.gz", hash = "sha256:31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852"},
    < ]
    < MarkupSafe = [
    ---
    > files = [
    193c162,170
    < Werkzeug = [
    ---
    >
    > [[package]]
    > name = "Werkzeug"
    > version = "2.2.2"
    > description = "The comprehensive WSGI web application library."
    > category = "main"
    > optional = false
    > python-versions = ">=3.7"
    > files = [
    197c174,188
    < zipp = [
    ---
    >
    > [package.dependencies]
    > MarkupSafe = ">=2.1.1"
    >
    > [package.extras]
    > watchdog = ["watchdog"]
    >
    > [[package]]
    > name = "zipp"
    > version = "3.11.0"
    > description = "Backport of pathlib-compatible object wrapper for zip files"
    > category = "main"
    > optional = false
    > python-versions = ">=3.7"
    > files = [
    200a192,200
    >
    > [package.extras]
    > docs = ["furo", "jaraco.packaging (>=9)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)"]
    > testing = ["flake8 (<5)", "func-timeout", "jaraco.functools", "jaraco.itertools", "more-itertools", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=1.3)", "pytest-flake8", "pytest-mypy (>=0.9.1)"]
    >
    > [metadata]
    > lock-version = "2.0"
    > python-versions = "~3.9"
    > content-hash = "5664cd177600e7292b93aea0c7f371130709cd644634387b1b47f8c9814e57eb"
    ~~~

[Kurt-von-Laven]

The given pyproject.toml is incorrect, because Poetry (in keeping with much of the Python ecosystem) specifies that exact requirements should be specified with ==. We experience the same issue using a == version constraint on Python though, and I suspect Dependabot currently doesn't care. Dependabot should take care to (not) specify == in poetry.lock when == is (not) used in poetry.toml though.

[rakyi]

In our project Dependabot changes both "==3.11.1" and "3.11.1" to "~3.11", which doesn't work for us as we need the exact version for deployment.

[Kurt-von-Laven]

Yeah, we are all having the same experience.

[Kurt-von-Laven]

python-poetry/poetry#7503 recently clarified that the == operator is optional when specifying version matching clauses in Poetry. I don't know the status for other Python package managers, but I would expect them all to at least support == since that is the syntax specified by PEP 440.

[deivid-rodriguez]

This should get fixed by #6702. The problem is that our environment does not have all Python versions available, so if the project is locked to an exact version that we don't have available we need to change the requirement to allow the closest version we have available. But we are not changing it back after resolving versions.

[deivid-rodriguez]

Sorry for the delay, this fix is live now!