SCANPY-245 Fix strict dependencies pinning of pysonar#312
SCANPY-245 Fix strict dependencies pinning of pysonar#312guillaume-dequenne wants to merge 4 commits intomasterfrom
Conversation
hashicorp-vault-sonar-prod
bot
changed the title
SummaryThis PR loosens the overly strict dependency version pinning in pysonar by replacing exact version constraints with semantic versioning ranges. Changes include: updating main dependencies from pinned versions (e.g., What reviewers should knowThe core change is in pyproject.toml (lines 31-36): three main dependencies shift from exact pinning to version ranges, and two dev-only packages move out of main dependencies. The poetry.lock file (~852 lines changed) is automatically regenerated to reflect these changes—reviewers should focus on verifying the pyproject.toml logic rather than the lock file details. Note the JFrog source rename from 'jfrog-server' to 'repox' (line 61)—ensure this aligns with infrastructure expectations.
|
guillaume-dequenne
force-pushed
the
strict-dependencies-pinning
branch
from
0c2ee3c to
feca753
Compare
![sonar-review-alpha[bot]](https://avatars.githubusercontent.com/in/3025063?s=60&v=4){kind=small}
poetry.lock
Outdated
| @@ -1,4 +1,4 @@ | |||
| # This file is automatically @generated by Poetry 2.3.2 and should not be changed by hand. | |||
| # This file is automatically @generated by Poetry 2.1.1 and should not be changed by hand. | |||
There was a problem hiding this comment.
The lock file was generated with Poetry 2.1.1, but the previous lock file was generated with 2.3.2. This is a downgrade. The mise toolchain in this repo pins specific tool versions — was this intentional? If CI or other developers run a different Poetry version (2.3.x), they may get a different lock file on next poetry lock, causing churn. Please confirm this matches the Poetry version pinned in .mise.toml / .tool-versions.
- Mark as noise
guillaume-dequenne
force-pushed
the
strict-dependencies-pinning
branch
from
feca753 to
dfd3758
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
joke1196
left a comment
joke1196
left a comment
There was a problem hiding this comment.
LGTM! Do you need to add pygments 2.19, was version 2.20 not available?
There was a problem hiding this comment.
LGTM! ✅
The Poetry version mismatch flagged in the previous review is still present, just with different version numbers. mise.toml pins pipx:poetry = "2.2.1" but the lock file was regenerated with Poetry 2.3.3. Developers using mise will get Poetry 2.2.1, which may produce a different lock file on next poetry lock or poetry install --sync, causing churn. Please either update mise.toml to 2.3.3, or regenerate the lock with 2.2.1.
2 participants
No description provided.