Dependabot-core: "Requirements to unlock update_not_possible" with python repo with requirements.txt

Created on 20 Dec 2020  路  3Comments  路  Source: dependabot/dependabot-core

We recently installed dependabot in https://github.com/ultralytics/yolov3 (python repo with requirements.txt file), and after running dependabot, all packages display "Requirements to unlock update_not_possible" message, and no PR is generated, despite many packages being identified as out of date.

i.e. scipy>=1.4.1 in https://github.com/ultralytics/yolov3/blob/master/requirements.txt, which dependabot identifies as "Latest version is 1.5.4", before giving the "Requirements to unlock update_not_possible" message, and taking no action.

updater | INFO <job_77033297> Checking if scipy  needs updating
  proxy | 2020/12/20 03:37:26 [026] GET https://pypi.org:443/simple/scipy/
  proxy | 2020/12/20 03:37:26 [026] 200 https://pypi.org:443/simple/scipy/
updater | INFO <job_77033297> Latest version is 1.5.4
  proxy | 2020/12/20 03:37:26 [028] GET https://pypi.org:443/simple/scipy/
  proxy | 2020/12/20 03:37:26 [028] 200 https://pypi.org:443/simple/scipy/
updater | INFO <job_77033297> Requirements to unlock update_not_possible
updater | INFO <job_77033297> Requirements update strategy bump_versions
updater | INFO <job_77033297> No update possible for scipy

This is our first time using dependabot, so perhaps there is something we are not understanding. Any insights are appreciated. Thank you for your time!

Package manager/ecosystem
pip/python
Manifest contents prior to update
https://github.com/ultralytics/yolov3/blob/master/requirements.txt
Updated dependency
scipy>=1.4.1, should be updated to 1.5.4, but no action is taken
What you expected to see, versus what you actually saw
scipy>=1.4.1, should be updated to 1.5.4, but no action is taken
Images of the diff or a link to the PR, issue or logs
https://github.com/ultralytics/yolov3/network/updates/77033297

proxy | time="2020-12-20T03:37:13Z" level=info msg="proxy starting" commit=21ae9f84e9bb7b3f720e9bdc56e0b7a93b360267
  proxy | 2020/12/20 03:37:13 Listening (:1080)
updater | 2020-12-20T03:37:13.168714718 [77033297:WARN:src/devices/src/legacy/serial.rs:422] Detached the serial input due to peer close/error.
updater | time="2020-12-20T03:37:14Z" level=info msg="guest starting" commit=93f0ca9ddab7d943fd6e4b0d09e3c9a987e8a768
updater | time="2020-12-20T03:37:14Z" level=info msg="starting job..." fetcher_timeout=5m0s job_id=77033297 updater_timeout=45m0s updater_version=0.129.0-794bc4cbac8a083de02872c15ea85a55ccbe2aff
updater | yarn config v1.22.5
updater | success Set "cafile" to "/etc/ssl/certs/ca-certificates.crt".
updater | Done in 0.03s.
updater | I, [2020-12-20T03:37:17.367930 #72]  INFO -- sentry: ** [Raven] Raven 3.1.1 ready to catch errors
updater | INFO <job_77033297> Starting job processing
  proxy | 2020/12/20 03:37:19 [002] GET https://api.github.com:443/repos/ultralytics/yolov3
  proxy | 2020/12/20 03:37:19 [002] * authenticating github api request
  proxy | 2020/12/20 03:37:19 [002] 200 https://api.github.com:443/repos/ultralytics/yolov3
  proxy | 2020/12/20 03:37:19 [004] GET https://api.github.com:443/repos/ultralytics/yolov3/git/refs/heads/master
  proxy | 2020/12/20 03:37:19 [004] * authenticating github api request
  proxy | 2020/12/20 03:37:19 [004] 200 https://api.github.com:443/repos/ultralytics/yolov3/git/refs/heads/master
  proxy | 2020/12/20 03:37:19 [006] GET https://api.github.com:443/repos/ultralytics/yolov3/contents/?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:19 [006] * authenticating github api request
  proxy | 2020/12/20 03:37:19 [006] 200 https://api.github.com:443/repos/ultralytics/yolov3/contents/?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:19 [008] GET https://api.github.com:443/repos/ultralytics/yolov3/contents/requirements.txt?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:19 [008] * authenticating github api request
  proxy | 2020/12/20 03:37:19 [008] 200 https://api.github.com:443/repos/ultralytics/yolov3/contents/requirements.txt?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:19 [010] GET https://api.github.com:443/repos/ultralytics/yolov3/contents/.github?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:19 [010] * authenticating github api request
  proxy | 2020/12/20 03:37:19 [010] 200 https://api.github.com:443/repos/ultralytics/yolov3/contents/.github?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:19 [012] GET https://api.github.com:443/repos/ultralytics/yolov3/contents/data?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:19 [012] * authenticating github api request
  proxy | 2020/12/20 03:37:19 [012] 200 https://api.github.com:443/repos/ultralytics/yolov3/contents/data?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:19 [014] GET https://api.github.com:443/repos/ultralytics/yolov3/contents/models?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:19 [014] * authenticating github api request
  proxy | 2020/12/20 03:37:20 [014] 200 https://api.github.com:443/repos/ultralytics/yolov3/contents/models?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:20 [016] GET https://api.github.com:443/repos/ultralytics/yolov3/contents/utils?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:20 [016] * authenticating github api request
  proxy | 2020/12/20 03:37:20 [016] 200 https://api.github.com:443/repos/ultralytics/yolov3/contents/utils?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:20 [018] GET https://api.github.com:443/repos/ultralytics/yolov3/contents/weights?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
  proxy | 2020/12/20 03:37:20 [018] * authenticating github api request
  proxy | 2020/12/20 03:37:20 [018] 200 https://api.github.com:443/repos/ultralytics/yolov3/contents/weights?ref=a21595e2e22e650b1e9f591c336e516b50a29b8f
updater | INFO <job_77033297> Finished job processing
updater | time="2020-12-20T03:37:20Z" level=info msg="task complete" container_id=job-77033297-file-fetcher exit_code=0 job_id=77033297 step=fetcher
updater | yarn config v1.22.5
updater | success Set "cafile" to "/etc/ssl/certs/ca-certificates.crt".
updater | Done in 0.02s.
updater | I, [2020-12-20T03:37:22.366430 #73]  INFO -- sentry: ** [Raven] Raven 3.1.1 ready to catch errors
updater | INFO <job_77033297> Starting job processing
updater | INFO <job_77033297> Starting update job for ultralytics/yolov3
updater | INFO <job_77033297> Checking if tensorboard  needs updating
  proxy | 2020/12/20 03:37:26 [022] GET https://pypi.org:443/simple/tensorboard/
  proxy | 2020/12/20 03:37:26 [022] 200 https://pypi.org:443/simple/tensorboard/
updater | INFO <job_77033297> Latest version is 2.4.0
  proxy | 2020/12/20 03:37:26 [024] GET https://pypi.org:443/simple/tensorboard/
  proxy | 2020/12/20 03:37:26 [024] 200 https://pypi.org:443/simple/tensorboard/
updater | INFO <job_77033297> Requirements to unlock update_not_possible
updater | INFO <job_77033297> Requirements update strategy bump_versions
updater | INFO <job_77033297> No update possible for tensorboard 
updater | INFO <job_77033297> Checking if scipy  needs updating
  proxy | 2020/12/20 03:37:26 [026] GET https://pypi.org:443/simple/scipy/
  proxy | 2020/12/20 03:37:26 [026] 200 https://pypi.org:443/simple/scipy/
updater | INFO <job_77033297> Latest version is 1.5.4
  proxy | 2020/12/20 03:37:26 [028] GET https://pypi.org:443/simple/scipy/
  proxy | 2020/12/20 03:37:26 [028] 200 https://pypi.org:443/simple/scipy/
updater | INFO <job_77033297> Requirements to unlock update_not_possible
updater | INFO <job_77033297> Requirements update strategy bump_versions
updater | INFO <job_77033297> No update possible for scipy 
updater | INFO <job_77033297> Checking if pycocotools  needs updating
  proxy | 2020/12/20 03:37:27 [030] GET https://pypi.org:443/simple/pycocotools/
  proxy | 2020/12/20 03:37:27 [030] 200 https://pypi.org:443/simple/pycocotools/
updater | INFO <job_77033297> Latest version is 2.0.2
  proxy | 2020/12/20 03:37:27 [032] GET https://pypi.org:443/simple/pycocotools/
  proxy | 2020/12/20 03:37:27 [032] 200 https://pypi.org:443/simple/pycocotools/
updater | INFO <job_77033297> Requirements to unlock update_not_possible
updater | INFO <job_77033297> Requirements update strategy bump_versions
updater | INFO <job_77033297> No update possible for pycocotools 
updater | INFO <job_77033297> Checking if cython  needs updating
  proxy | 2020/12/20 03:37:27 [034] GET https://pypi.org:443/simple/cython/
  proxy | 2020/12/20 03:37:27 [034] 200 https://pypi.org:443/simple/cython/
updater | INFO <job_77033297> Latest version is 0.29.21
  proxy | 2020/12/20 03:37:28 [036] GET https://pypi.org:443/simple/cython/
  proxy | 2020/12/20 03:37:28 [036] 200 https://pypi.org:443/simple/cython/
updater | INFO <job_77033297> No update needed for cython 
updater | INFO <job_77033297> Checking if torchvision  needs updating
  proxy | 2020/12/20 03:37:28 [038] GET https://pypi.org:443/simple/torchvision/
  proxy | 2020/12/20 03:37:28 [038] 200 https://pypi.org:443/simple/torchvision/
updater | INFO <job_77033297> Latest version is 0.8.2
  proxy | 2020/12/20 03:37:28 [040] GET https://pypi.org:443/simple/torchvision/
  proxy | 2020/12/20 03:37:28 [040] 200 https://pypi.org:443/simple/torchvision/
updater | INFO <job_77033297> Requirements to unlock update_not_possible
updater | INFO <job_77033297> Requirements update strategy bump_versions
updater | INFO <job_77033297> No update possible for torchvision 
updater | INFO <job_77033297> Checking if seaborn  needs updating
  proxy | 2020/12/20 03:37:28 [042] GET https://pypi.org:443/simple/seaborn/
  proxy | 2020/12/20 03:37:28 [042] 200 https://pypi.org:443/simple/seaborn/
updater | INFO <job_77033297> Latest version is 0.11.0
  proxy | 2020/12/20 03:37:29 [044] GET https://pypi.org:443/simple/seaborn/
  proxy | 2020/12/20 03:37:29 [044] 200 https://pypi.org:443/simple/seaborn/
updater | INFO <job_77033297> No update needed for seaborn 
updater | INFO <job_77033297> Checking if torch  needs updating
  proxy | 2020/12/20 03:37:29 [046] GET https://pypi.org:443/simple/torch/
  proxy | 2020/12/20 03:37:29 [046] 200 https://pypi.org:443/simple/torch/
updater | INFO <job_77033297> Latest version is 1.7.1
  proxy | 2020/12/20 03:37:29 [048] GET https://pypi.org:443/simple/torch/
  proxy | 2020/12/20 03:37:29 [048] 200 https://pypi.org:443/simple/torch/
updater | INFO <job_77033297> Requirements to unlock update_not_possible
updater | INFO <job_77033297> Requirements update strategy bump_versions
updater | INFO <job_77033297> No update possible for torch 
updater | INFO <job_77033297> Checking if pandas  needs updating
  proxy | 2020/12/20 03:37:29 [050] GET https://pypi.org:443/simple/pandas/
  proxy | 2020/12/20 03:37:29 [050] 200 https://pypi.org:443/simple/pandas/
updater | INFO <job_77033297> Latest version is 1.1.5
  proxy | 2020/12/20 03:37:29 [052] GET https://pypi.org:443/simple/pandas/
  proxy | 2020/12/20 03:37:29 [052] 200 https://pypi.org:443/simple/pandas/
updater | INFO <job_77033297> No update needed for pandas 
updater | INFO <job_77033297> Checking if numpy  needs updating
  proxy | 2020/12/20 03:37:30 [054] GET https://pypi.org:443/simple/numpy/
  proxy | 2020/12/20 03:37:30 [054] 200 https://pypi.org:443/simple/numpy/
updater | INFO <job_77033297> Latest version is 1.19.4
  proxy | 2020/12/20 03:37:30 [056] GET https://pypi.org:443/simple/numpy/
  proxy | 2020/12/20 03:37:30 [056] 200 https://pypi.org:443/simple/numpy/
updater | INFO <job_77033297> Requirements to unlock update_not_possible
updater | INFO <job_77033297> Requirements update strategy bump_versions
updater | INFO <job_77033297> No update possible for numpy 
updater | INFO <job_77033297> Checking if opencv-python  needs updating
  proxy | 2020/12/20 03:37:31 [058] GET https://pypi.org:443/simple/opencv-python/
  proxy | 2020/12/20 03:37:31 [058] 200 https://pypi.org:443/simple/opencv-python/
updater | INFO <job_77033297> Latest version is 4.4.0.46
  proxy | 2020/12/20 03:37:31 [060] GET https://pypi.org:443/simple/opencv-python/
  proxy | 2020/12/20 03:37:31 [060] 200 https://pypi.org:443/simple/opencv-python/
updater | INFO <job_77033297> Requirements to unlock update_not_possible
updater | INFO <job_77033297> Requirements update strategy bump_versions
updater | INFO <job_77033297> No update possible for opencv-python 
updater | INFO <job_77033297> Checking if pyyaml  needs updating
  proxy | 2020/12/20 03:37:31 [062] GET https://pypi.org:443/simple/pyyaml/
  proxy | 2020/12/20 03:37:31 [062] 200 https://pypi.org:443/simple/pyyaml/
updater | INFO <job_77033297> Latest version is 5.3.1
  proxy | 2020/12/20 03:37:32 [064] GET https://pypi.org:443/simple/pyyaml/
  proxy | 2020/12/20 03:37:32 [064] 200 https://pypi.org:443/simple/pyyaml/
updater | INFO <job_77033297> Requirements to unlock update_not_possible
updater | INFO <job_77033297> Requirements update strategy bump_versions
updater | INFO <job_77033297> No update possible for pyyaml 
updater | INFO <job_77033297> Checking if matplotlib  needs updating
  proxy | 2020/12/20 03:37:32 [066] GET https://pypi.org:443/simple/matplotlib/
  proxy | 2020/12/20 03:37:32 [066] 200 https://pypi.org:443/simple/matplotlib/
updater | INFO <job_77033297> Latest version is 3.3.3
  proxy | 2020/12/20 03:37:32 [068] GET https://pypi.org:443/simple/matplotlib/
  proxy | 2020/12/20 03:37:32 [068] 200 https://pypi.org:443/simple/matplotlib/
updater | INFO <job_77033297> Requirements to unlock update_not_possible
updater | INFO <job_77033297> Requirements update strategy bump_versions
updater | INFO <job_77033297> No update possible for matplotlib 
updater | INFO <job_77033297> Checking if thop  needs updating
  proxy | 2020/12/20 03:37:32 [070] GET https://pypi.org:443/simple/thop/
  proxy | 2020/12/20 03:37:32 [070] 200 https://pypi.org:443/simple/thop/
updater | INFO <job_77033297> Latest version is 0.0.31.post2005241907
  proxy | 2020/12/20 03:37:32 [072] GET https://pypi.org:443/simple/thop/
  proxy | 2020/12/20 03:37:32 [072] 200 https://pypi.org:443/simple/thop/
updater | INFO <job_77033297> No update needed for thop 
updater | INFO <job_77033297> Checking if tqdm  needs updating
  proxy | 2020/12/20 03:37:32 [074] GET https://pypi.org:443/simple/tqdm/
  proxy | 2020/12/20 03:37:32 [074] 200 https://pypi.org:443/simple/tqdm/
updater | INFO <job_77033297> Latest version is 4.54.1
  proxy | 2020/12/20 03:37:32 [076] GET https://pypi.org:443/simple/tqdm/
  proxy | 2020/12/20 03:37:32 [076] 200 https://pypi.org:443/simple/tqdm/
updater | INFO <job_77033297> Requirements to unlock update_not_possible
updater | INFO <job_77033297> Requirements update strategy bump_versions
updater | INFO <job_77033297> No update possible for tqdm 
updater | INFO <job_77033297> Checking if pillow  needs updating
  proxy | 2020/12/20 03:37:33 [078] GET https://pypi.org:443/simple/pillow/
  proxy | 2020/12/20 03:37:33 [078] 200 https://pypi.org:443/simple/pillow/
updater | INFO <job_77033297> Latest version is 8.0.1
  proxy | 2020/12/20 03:37:33 [080] GET https://pypi.org:443/simple/pillow/
  proxy | 2020/12/20 03:37:33 [080] 200 https://pypi.org:443/simple/pillow/
updater | INFO <job_77033297> No update needed for pillow 
updater | INFO <job_77033297> Finished job processing
updater | time="2020-12-20T03:37:34Z" level=info msg="task complete" container_id=job-77033297-updater exit_code=0 job_id=77033297 step=updater
bug 馃悶
Source
picture glenn-jocher

Most helpful comment

@jurre @ulgens ah I understand now. Yes, so if the packages are not 'pinned' to a specific version using ==, like scipy==1.4.1 then no action is taken as the pip install command will install the latest version when scipy>=1.4.1 is specified.

Yes perhaps an updated message for newcomers like myself would help understand better, i.e.

scipy not updated as scipy>=1.4.1 already installs latest version 1.5.4

picture glenn-jocher on 21 Dec 2020
👍3

All 3 comments

image

I installed packages from given requirement list. No package needs to be updated at the moment.

scipy>=1.4.1, should be updated to 1.5.4, but no action is taken

is not true. 1.5.4 satisfies scipy>=1.4.1 rule, so no update is necessary. There is only package there, pinned and can be updated by Dependabot, is coremltools==4.0 and it doesn't need an update at the moment. If you want to get PR for other dependencies, you should try to pin versions or use a lock file.

ulgens picture ulgens on 21 Dec 2020
👍2

Yes, @ulgens is right, but I wonder if we can improve our messages when this happens.

The reason this works like it does, is because dependabot (or any other user for that matter) cannot know which version you actually have installed when there's no lockfile, or the version is not pinned, and like @ulgens mentioned, when you install the given requirements.txt from scratch, it will indeed install the latest version.

jurre picture jurre on 21 Dec 2020

@jurre @ulgens ah I understand now. Yes, so if the packages are not 'pinned' to a specific version using ==, like scipy==1.4.1 then no action is taken as the pip install command will install the latest version when scipy>=1.4.1 is specified.

Yes perhaps an updated message for newcomers like myself would help understand better, i.e.

scipy not updated as scipy>=1.4.1 already installs latest version 1.5.4

glenn-jocher picture glenn-jocher on 21 Dec 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

artzag picture artzag  路  3Comments
exequiel09 picture exequiel09  路  4Comments
LankyLou picture LankyLou  路  4Comments
rebelagentm picture rebelagentm  路  3Comments
bennycode picture bennycode  路  3Comments