Release notes feedback

[last-partizan]

Hello.

Looking at this release notes https://github.com/celery/pytest-celery/releases/tag/v1.0.1 i want to share some feedback.

It includes lots of dependency updated from @dependatabot , and lists some "Security fixes" totally unrelated to pytest-celery.

If i understand correctly, poetry.lock is not used when installing it as a package, and when testing this with pip install pytest-celery==1.0.0 i already get latest dependency versions.

So, you're listing in the release notes CVE totally unrelated to the package, and updating a package without updating other related packages - does not fix anything.

That's probably dependatabot problem - it treats a package as an app, not as a library. And if you really want to "fix" some of the CVE, you need to bump a package in your pyproject.toml (but, it doesn't even have "certify" in it's dependencies).

In my repos i disabled dependatabot exactly for this reason.

[Nusnus]

Looking at this release notes https://github.com/celery/pytest-celery/releases/tag/v1.0.1 i want to share some feedback.

Thank you for taking the time to post this @last-partizan!
I appreciate it a lot! 🙏

It includes lots of dependency updated from @dependatabot , and lists some "Security fixes" totally unrelated to pytest-celery.

Although you are right it seems, this does affect the development environment of pytest-celery, which is not a client’s problem indeed, but is related to pytest-celery from the other side and does take its versions from the poetry.lock file.

That's probably dependatabot problem - it treats a package as an app, not as a library. And if you really want to "fix" some of the CVE, you need to bump a package in your pyproject.toml (but, it doesn't even have "certify" in it's dependencies).

Very interesting!
I’ve done some tests and you are correct. It indeed only affects the dev environment which uses the poetry.lock file so it will not upgrade the CVE-affected dependencies in a client’s environment unless specifically updated in pyproject.toml, which not all packages are part of in the first place.

This makes the “Security Fixes” section a bit misleading.
Note taken. I will pay more attention in the future.

In my repos i disabled dependatabot exactly for this reason.

Do you suggest any alternative method for automatic updates?
Or maybe dependatabot can be configured better to offer changes in the pyproject.toml file as well, at least for packages that are mentioned. For the packages the “app” uses, we can agree it only affects the dev-env so at least it covers that aspect correctly.

[last-partizan]

I think, as a library - we should not be concerned about automatic updates. That's app developer responsibility.

Even enforcing minimum versions should be done only if we're using features unavailable in related libraries.

As for "dev-env", yoy could still use dependatabot (and probably configure it to combine updates into single PR, i've seen this mentioned in the docs). Or - just update all dev env dependencies once in a few months.