Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
(Python packaging): Dependabot overrun trying to resolve all versions
See original GitHub issueGeneral Issue
Dependabot is unable to determine most recent package versions, resulting in timeout
The Question
To reproduce:
- Create a GitHub repo.
- Install a few Python AWS CDK packages (17 in this case).
- Configure Dependabot for pip.
- Wait for Dependabot to do its thing.
What should happen: Dependabot should run successfully within a reasonable amount of time.
What happens: Dependabot did 664 HTTP GETs of https://pypi.org:443/pypi/aws-cdk.[…]/[…]/json) before giving up after 45 minutes of runtime. This seems to be the GitHub timeout for Dependabot jobs.
This means that users who have configured Dependabot on GitHub and are using Python AWS CDK packages are in danger of not getting automatic package update PRs, which is the sole purpose of Dependabot. Since Dependabot also fails silently (you have to go to https://github.com/$USER/$PROJECT/network/updates to see any indication of failure) this means projects are in danger of running vulnerable software.
I think this happens because of missing package metadata, resulting in Dependabot having to download every single version in order to determine which is the latest. But I don’t know wheels and other packaging features well enough to say for sure.
Workaround: Manually run poetry update after merging all the PRs Dependabot was able to create.
Untested workarounds:
- Lock dependency versions in pyproject.toml?
- Configure a separate job to run Dependabot? GitHub Actions should have a longer timeout than the built-in Dependabot configuration.
Other places this could be fixed:
- Dependabot could use the version number in the URL rather than fetching each version to (presumably) check its version number. I expect this wasn’t done because the URL doesn’t necessarily contain the full version number (as in the case of private repos).
- GitHub could bump their timeout.
CDK CLI Version
N/A
Framework Version
No response
Node.js Version
No response
OS
No response
Language
Python
Language Version
No response
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Comments:11 (10 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Oh, I see. You’ve got aws-cdk 1.139, while the Geostore project still lingers at 1.92, presumably because of version incompatibilities with other packages. So this should be fixed once we’re able to upgrade somewhere between 1.93 and 1.139. We can probably close this; I’ll just create a new issue if this comes up with newer versions.
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.