You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The requirements.txt claims only exists to facilitate dependency scanning. We're getting spurious alerts from it. Fix that.
Approach
Add a reminder comment in pyproject.toml. Copy over to requirements.txt and delete the optional/dev dependencies listed there. Alphabetize.
Update the snyk.yml workflow to uv pip compile from pyproject.toml, so snyk stays in sync. Then delete the requirements.txt because it's only used for snyk, right? Wrong, other things are failing. So we'll need to clean up other references to that requirements file.
I think we can uv pip compile to generate the requirements file.
Sure, we could, but that might entail bigger build tooling changes that I wasn't looking to take on myself right now. I was just hoping to clean up some nuisance snyk alerts.
It turns out though that the comment that "requirements.txt is just used by snyk" is (no longer) true, it's referenced in several places in the repo, and maybe it's connected to why the integration tests failed, I haven't looked into it. So I'm going to have to rethink this.
@edavidaja I edited the snyk workflow to uv pip compile, so we should be able to delete the requirements.txt. However, the comment in it seems to be a lie and we do use it elsewhere in CI, so that will need to be tracked down.
I think #536 is the thing that needs to be unwound. [edit: or not, can't tell that this is used in CI, though we should address this anyway, perhaps by deleting]
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Intent
The requirements.txt claims only exists to facilitate dependency scanning. We're getting spurious alerts from it. Fix that.
Approach
Add a reminder comment in pyproject.toml. Copy over to requirements.txt and delete the optional/dev dependencies listed there. Alphabetize.Update the
snyk.ymlworkflow touv pip compilefrompyproject.toml, so snyk stays in sync. Then delete therequirements.txtbecause it's only used for snyk, right? Wrong, other things are failing. So we'll need to clean up other references to that requirements file.Automated Tests
CI should pass.