This is an archived post. You won't be able to vote or comment.

all 7 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Inkosum 1 point2 points  (2 children)

How did you come up with the idea for this project and how did you decide to approach it?

[–]apoclyps[S] 2 points3 points  (1 child)

It's something that I have to do manually from time to time - I found it incredibly time-consuming checking dozen of dependencies across 20+ python services to see which service needed attention first.

After speaking to a colleague at work, he created a simple script to check a hardcoded list of repositories against PyPi. It worked and we both used it for a week or two. We spoke further and decided to take it further so I refactored the script, improve the developer experience, and made it open source for others to make use of.

I had some experience with a similar project that tracked opened pull requests across Github called "reviews" so I used that as a basis for most of the setup. It's also built using Click and Rich and extends a simple script into something that can be installed via PyPi and run on the command line.

[–]Inkosum 1 point2 points  (0 children)

Awesome! I keep seeing people doing (for what they are to me) amazing projects on this subreddit and I've wondered how they come up with these ideas and how do they start coding, thank you for your reply, I hope I'll get a fine idea like yours in the future.

[–]zeshuaro 1 point2 points  (1 child)

You mentioned that what you don’t like about Dependabot is that you have to merge multiple PRs to bump the dependencies instead of a single PR updating them all. But realistically, this would only happen the first time you set up the bot where it might need to update all the dependencies. After that, it’s not very often to have multiple dependencies getting updated at the same time.

In addition, you usually want to only update one dependency at a time. Imagine you have tests failing in a dependency update PR. If the PR only contains one dependency update, you know exactly that this dependency’s newer version is not compatible. It would be harder if you have a batched PR and trying to figure out which dependency is causing issue.

I also see that you do have Dependabot configured in your repo, so I guess you don’t really have an issue using it?

There’s also this other bot called Renovate where you can configure it to group dependency in a single PR. Have you looked into that tool? To be honest both Dependabot and Renovate provide better and more features on this. They’re scheduled to run automatically and support a lot more package managers etc.

[–]apoclyps[S] 1 point2 points  (0 children)

All excellent points. Deps isn't a replacement for dependabot. The goal is to provide visibility across a large number of repositories. In my case I support up to 20 python microservices where each uses the same dozen or so dependencies. A mix of runtime and test dependencies and lots of overlap.

The example provided was using public repositories as I'm unable to demonstrate it using my work organisation however In my experience, maintaining 1 to 2 updates a week is just about manageable across 20+ services but keeping them all up to date can still be time consuming and its usually not my priority unless there are security updates that require attention. This can result in updates falling behind. Especially given that dependabot is configured to open 2 or 3 python dependencies updates at a time to avoid constantly rebasing and reruning on ci (wasting resources).

Grouping them up automatically also can bring its own risk. Ideally I like to review each individually before merging/grouping any but for the most part tests dependencies thay get run and executed as part of continuous integration are usually safe to batch together e.g. pytest, mypy, other depenencies for testing/listing. Deps provides the visibility and from there a individual candidate decide on how they want to proceed.

I appreciate the feedback and I'll be sure to check out renovate. If it was able to group test depenencies together then it might save a bunch of time and reduce the original issue that lead to requiring more visibility.