[Pulp-dev] Pinning dependencies in Pulp 3

Dennis Kliban dkliban at redhat.com
Fri Jul 26 16:33:08 UTC 2019


I really like that there is automation to help us update the deps. If the
PR from dependabot passes CI, we can just merge. Otherwise we will file an

On Fri, Jul 26, 2019 at 11:38 AM David Davis <daviddavis at redhat.com> wrote:

> Recently, Pulp 3 package installs were broken by a new version of DRF
> which necessitated a new release of pulpcore (RC4)[0]. Our releases are
> fragile and unstable because they don't pin versions of dependencies.
> I was thinking of a new strategy whereby we pin pulpcore's dependencies to
> specific versions (either y or z releases) and we use something like
> dependabot[1] to notify us of new updates for pulpcore dependencies. It
> looks like it'll open new PRs when it detects a dependency is out of date.
> The one downside I do see is that dependabot PRs could be ignored.
> However, I think the stability of our releases outweighs this potential
> risk especially as we get closer to GA.
> Thoughts?
> [0] https://www.redhat.com/archives/pulp-dev/2019-July/msg00076.html
> [1] https://dependabot.com/
> David
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20190726/33e0a308/attachment.htm>

More information about the Pulp-dev mailing list