Skip to content

Add Conda support (for python packages) #12767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 26 commits into from
Aug 6, 2025
Merged

Add Conda support (for python packages) #12767

merged 26 commits into from
Aug 6, 2025
+7,068 −1,756

Conversation

theztefan
Copy link
Contributor

@theztefan theztefan commented Aug 1, 2025
edited
Loading

What are you trying to accomplish?

Raising this PR to add Conda support to dependabot-core and overall Dependabot on GitHub.com.

Relevant Issues
#4369
#1249

Anything you want to highlight for special attention from reviewers?

Conda Implementation in dependabot-core

Overview

What is the Conda Implementation?

The Conda ecosystem implementation in dependabot-core provides automated dependency management for Python packages specified in Conda environment.yml files. This implementation focuses exclusively on Python packages while leveraging existing Python/PyPI infrastructure for maximum reliability and maintainability.

Strategic Scope

✅ Supported:

  • Python packages from conda channels (main dependencies section)
  • Python packages from pip (pip dependencies section)
  • Version checking via PyPI delegation
  • Security updates via Python advisory database
  • Comment and formatting preservation
  • Cooldown feature support

❌ Explicitly Excluded:

  • Non-Python packages (R, C/C++, system tools)
  • Fully qualified conda specifications with build strings
  • Lock file support (conda-lock.yml)
  • Cross-language dependency management

Key Design Decisions

1. Python-Only Strategic Scope

Decision: Focus exclusively on Python packages from both conda and pip sources in Conda manifest files.

Rationale:

  • ✅ Serves majority use case (most conda users primarily use Python)
  • ✅ Leverages existing Python/PyPI GitHub Advisory Database
  • ✅ Avoids complexity of cross-language dependency management
  • ✅ Enables immediate value delivery

Implementation: PythonPackageClassifier with blocklist approach for distinguishable R and system tools but treat every dependency as python by default and delegate to the python implementation. Uses semantic dependency groups: groups: ["dependencies"] for conda dependencies and groups: ["pip"] for pip dependencies, enabling clear separation and targeted updates.

2. Delegation to Python Ecosystem

Decision: Delegate version checking to existing Python infrastructure instead of implementing conda-specific registry integration.

Rationale:

  • ✅ Reuses battle-tested PyPI integration
  • ✅ Inherits all Python ecosystem improvements automatically
  • ✅ Consistent behavior across Python and conda ecosystems
  • ✅ Reduced maintenance burden

Implementation: LatestVersionFinder inherits from PackageLatestVersionFinder and delegates to Python::UpdateChecker::LatestVersionFinder.

3. String-Based File Updates

Decision: Use string replacement instead of YAML parsing/dumping for file updates.

Rationale:

  • ✅ Preserves original formatting, comments, and structure
  • ✅ Maintains developer-friendly file appearance
  • ✅ Avoids YAML library formatting inconsistencies
  • ✅ Enables surgical updates without affecting unrelated content

Implementation: Sophisticated regex patterns that capture and preserve formatting.

4. Tiered Environment Support

Decision: Implement three-tier support model based on environment complexity.

Rationale:

  • Tier 1 (Simple specs): Full management capability
  • Tier 2 (Mixed): Pip-only management with clear communication
  • Tier 3 (Fully qualified): Graceful rejection with explanation

Implementation: fully_qualified_package? detection via = character counting.

5. Beta Feature Flag Protection

Decision: Protect all functionality behind allow_beta_ecosystems? feature flag.

Rationale:

  • ✅ Safe rollout mechanism
  • ✅ Allows testing without affecting production users
  • ✅ Standard pattern for new ecosystem introduction
  • ✅ Easy activation/deactivation

Implementation: Feature flag check in FileFetcher with clear error messages.

High-Level Architecture

dependabot-core Architecture Integration

The Conda implementation follows dependabot-core standard four component architecture pattern:

graph TB
    subgraph "dependabot-core Framework"
        FetcherBase[FileFetchers::Base]
        ParserBase[FileParsers::Base]
        CheckerBase[UpdateCheckers::Base]
        UpdaterBase[FileUpdaters::Base]
    end
    
    subgraph "Conda Implementation"
        FileFetcher[Conda::FileFetcher]
        FileParser[Conda::FileParser]
        UpdateChecker[Conda::UpdateChecker]
        FileUpdater[Conda::FileUpdater]
    end
    
    subgraph "Python Ecosystem Delegation"
        PythonChecker[Python::UpdateChecker::LatestVersionFinder]
        PyPIAPI[PyPI Registry API]
    end
    
    FetcherBase --> FileFetcher
    ParserBase --> FileParser
    CheckerBase --> UpdateChecker
    UpdaterBase --> FileUpdater
    
    UpdateChecker --> PythonChecker
    PythonChecker --> PyPIAPI
    
    FileFetcher --> FileParser
    FileParser --> UpdateChecker
    UpdateChecker --> FileUpdater
Loading

Python Ecosystem Delegation Strategy

Key point: Instead of reimplementing PyPI integration, the Conda implementation delegates version checking to the existing Python ecosystem infrastructure:

graph LR
    subgraph "Conda Dependencies"
        CondaDep[numpy=1.26]
        PipDep[pandas>=2.0]
    end
    
    subgraph "Conversion Layer"
        Translator[RequirementTranslator]
    end
    
    subgraph "Python Infrastructure"
        PythonFinder[Python::LatestVersionFinder]
        PyPI[PyPI API]
        Security[Python Security DB]
    end
    
    CondaDep --> Translator
    PipDep --> Translator
    Translator --> PythonFinder
    PythonFinder --> PyPI
    PythonFinder --> Security
Loading

How will you know you've accomplished your goal?

  • All local tests have passed
  • All dry-run tests with gathered manifest files have
  • Accepted PR and integrated as beta ecosystem
  • Community testing has been done and all improvements have been implement
  • Fully documented
  • GA 🎉

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@theztefan theztefan requested a review from a team as a code owner August 1, 2025 14:38
@honeyankit honeyankit changed the title Add Conda support (for python packages) [Epic] Add Conda support (for python packages) Aug 1, 2025
@honeyankit honeyankit changed the title [Epic] Add Conda support (for python packages) Add Conda support (for python packages) Aug 1, 2025
markhallen
markhallen reviewed Aug 5, 2025
View reviewed changes
theztefan and others added 8 commits August 5, 2025 07:39
@theztefan @markhallen
Update conda/lib/dependabot/conda/file_fetcher.rb
09be146 
remove unnecessary comment

Co-authored-by: Mark Allen <[email protected]>
@theztefan @markhallen
Update conda/lib/dependabot/conda/file_fetcher.rb
2c8a59d 
remove unnecessary comment

Co-authored-by: Mark Allen <[email protected]>
@theztefan @markhallen
Update conda/lib/dependabot/conda/file_fetcher.rb
ce601cb 
narrowing down exception handling

Co-authored-by: Mark Allen <[email protected]>
@theztefan @markhallen
Update conda/lib/dependabot/conda/file_updater.rb
f7b22dd 
Co-authored-by: Mark Allen <[email protected]>
@theztefan @markhallen
Update conda/lib/dependabot/conda.rb
e3b6ff0 
Co-authored-by: Mark Allen <[email protected]>
@theztefan @markhallen
Update conda/spec/dependabot/conda/file_fetcher_spec.rb
da8710a 
remove commented out test

Co-authored-by: Mark Allen <[email protected]>
@theztefan
implement metadata_finder delegation
bf9b3f4
@theztefan
address linting issues
0c0bd4d
@theztefan theztefan requested a review from markhallen August 6, 2025 09:08
markhallen
markhallen previously approved these changes Aug 6, 2025
View reviewed changes
Copy link
Contributor

@markhallen markhallen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work @theztefan

@markhallen markhallen merged commit 67c4f0c into dependabot:main Aug 6, 2025
125 of 129 checks passed
@theztefan theztefan mentioned this pull request Aug 11, 2025
Open
This was referenced Sep 9, 2025
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markhallen markhallen markhallen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@theztefan @markhallen