Skip to main content

Utility for bumping dependency versions specified in pyproject.toml files

Project description

GitHub Actions Status PyPI Package latest release

Overview

BumpDeps is a utility for bumping dependency versions specified in pyproject.toml files. It attempts to adhere to specifications outlined in PEP 440 and PEP 508.

BumpDeps can be used as part of a release process or CI workflow to ensure pinned dependencies do not become outdated.

Background

Typically, dependency versions should not have upper-bound pinning because this is a deployment activity. Pinning dependencies moves the implicit security contract from the user to the maintainer. Instead, automated CI testing should run regularly against the latest versions of dependencies with any issues resolved quickly. Upper-bound pinning, if required, should be temporary and tied to an issue or task.

So why does this tool exist? There may be cases where pinning is still done. Whether this is for valid reasons or not, the dependencies in these cases can quickly become outdated. This tool is intended to simplify the process of updating those dependencies.

Usage

For the most basic usage, run bumpdeps in the root of a project. This will bump the base dependencies found in pyproject.toml.

$ bumpdeps

To bump optional dependencies, simplify provide the name of the extra.

$ bumpdeps some_extra some_cooler_extra

To bump all dependencies, use --all or -a

$ bumpdeps --all

For more granular options, see below.

Customizing

BumpDeps behavior can be customized though the use of in-line comments.

If # bumpdeps: ignore is found after a dependency, BumpDeps will skip updates for that dependency.

If # bumpdeps: ignore-until=YYYY-MM-DD is found after a dependency, BumpDeps will skip updates for that dependency until the date provided.

CLI Arguments

usage: bumpdeps [-h] [-a] [-b] [-i REGEX] [-e REGEX] [-f FILE] [–dry-run] [–pkg-index URL] [-d] [EXTRAS …]

-a
–all

Update dependencies for base and all extras

-b
–base

Update base dependencies.

This is the default when no extras are provided. Typically used in combination with specific extras.

-n
–no-base

Do not update base dependencies.

This is intended for use with –all when one want to update all optional dependencies without updating the base dependencies.

-i REGEX
–include REGEX

Regular expression filter. Only dependencies matching the filter will be updated.

-e REGEX
–exclude REGEX

Regular expression filter. Dependencies matching the filter will be skipped.

-f FILE
–file FILE

Path to TOML file. Defaults to pyproject.toml in the current directory.

This file is expected to compatible with the pyproject.toml format.

–dry-run

Show what changes would be made without making any changes.

–pkg-index DIR

URL of package index. Defaults to https://pypi.org.

If using a custom URL, it must have an API compatible with PyPI.

-d
–debug

Show debug output

-h
–help

Show help message and exit

Using BumpDeps with GitHub Actions

Configure Deploy Key

It is recommended to create a deploy key. This allows CI tests to run on the pull request created. If you use the default permissions, the pull request will still be created, but it won’t trigger CI tests. There are alternative ways to accomplish this. Find more information on this here.

  1. Create an SSH keypair, leave the passphrase blank.

    $ ssh-keygen -t ed25519 -f github_deploy

    This will create two files in the current directory

    • github_deploy

      The private key

    • github_deploy.pub

      The public key

  2. Add the public key (contents of github_deploy.pub) as a deploy key under repo settings

    IMPORTANT: check the box for “Allow write access”

    Instructions for configuring deploy keys can be found here.

  3. Create a repo secret named PRIVATE_KEY under repo settings with private key (contents of github_deploy) as the value

    Instructions for creating repository secrets can be found here.

Example GitHub Actions configuration

This example avoids use of third-party actions, however it could be simplified by utilizing peter-evens/create-pull-request.

name: Update Dependencies

on:
  schedule:
    # Every Monday at 1 AM
    - cron: '0 1 * * 1'

jobs:
  Update_Deps:

    runs-on: ubuntu-latest
    name: ${{ matrix.name || matrix.args }}

    strategy:
      fail-fast: false
      matrix:
        args: [extras_1, extras_2]
        include:

        - args: '-b'
          name: Base Dependencies

        - args: '-a -i toml.*'
          name: All TOML libs

    env:
      DEPS_UPDATED: false

    steps:
      - uses: actions/checkout@v3
        with:
          ssh-key: ${{ secrets.PRIVATE_KEY }}

      - name: Install latest Python
        uses: actions/setup-python@v4
        with:
          python-version: 3.x

      - name: Install bumpdeps
        run: pip install bumpdeps

      - name: Update deps
        run: |
          set -x
          bumpdeps ${{ matrix.args }}
          git diff --quiet || echo "DEPS_UPDATED=true" >> $GITHUB_ENV

      - name: Create PR
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          set -x
          PR_BRANCH=bumpdeps/$(echo ${{ matrix.name || matrix.args }} | tr ' ' _)_${{ github.run_id }}
          PR_MSG="BumpDeps: ${{ matrix.name || matrix.args }}"

          # Configure Git
          git config --global user.name "BumpDeps"
          git config --global user.email "<>"

          # Create commit in new branch
          git checkout -b $PR_BRANCH
          git commit -a -m "$PR_MSG"
          git --no-pager log -n 2
          git push -u origin $PR_BRANCH

          # Create PR
          gh pr create -B main -H $PR_BRANCH --title "$PR_MSG" --body "Created by Github Action"
        if: env.DEPS_UPDATED == 'true'

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

bumpdeps-0.2.1.tar.gz (19.6 kB view details)

Uploaded Source

Built Distribution

bumpdeps-0.2.1-py3-none-any.whl (14.7 kB view details)

Uploaded Python 3

File details

Details for the file bumpdeps-0.2.1.tar.gz.

File metadata

  • Download URL: bumpdeps-0.2.1.tar.gz
  • Upload date:
  • Size: 19.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.11.1

File hashes

Hashes for bumpdeps-0.2.1.tar.gz
Algorithm Hash digest
SHA256 10ebd5bdffcea5498e0e7feddb82750a65cc105f043f8b507c387b272570c1ab
MD5 3f67d248e69955a5fb4492ad42cd856a
BLAKE2b-256 b88f005572b2adf8d32da0e167078e3a043b53ecd8d180ebfaf895c42ec26b94

See more details on using hashes here.

File details

Details for the file bumpdeps-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: bumpdeps-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 14.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.11.1

File hashes

Hashes for bumpdeps-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 dda37187e82527cd9ad102f38b0fab4da72341115f0dfb329f601932e417e73a
MD5 8763a6ff83c7baf66c9ae3568ab08e26
BLAKE2b-256 433045c0d03e6b47cfb9e4976122084e3d6ea862598f683f78ac94b3e1aafc4b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page