A tool that updates all your project's Python dependency files through Pull Requests on GitHub/GitLab.

https://travis-ci.org/pyupio/pyup.svg?branch=master

https://codecov.io/github/pyupio/pyup/coverage.svg?branch=master

About

This repo contains the bot that is running at pyup.io. You can install it locally and run the bot through the command line interface.

Documentation: https://pyup.io/docs/

Installation

To install pyup, run:

$ pip install pyupio

If you want to update Pipfiles, install the optional pipenv extra:

$ pip install dparse[pipenv]

Obtain Token

In order to communicate with the github API, you need to create an oauth token for your account:

Log in to your github account
Click on settings -> Personal access tokens
Click on Generate new token
Make sure to check repo and email and click on Generate token

Run your first Update

Run:

$ pyup --repo=username/repo --user-token=
   --initial

This will check all your requirement files and search for new package versions. If there are updates available, pyup will create a new branch on your repository and create a new commit for every single update. Once all files are up to date, pyup will create a single pull request containing all commits.

Once your repository is up to date and the initial update is merged in, remove the --initial flag and run:

$ pyup --repo=username/repo --user-token=

This will create a new branch and a pull request for every single update. Run a cronjob or a scheduled task somewhere that auto-updates your repository once in a while (e.g. every day) to stay on latest.

Pyup also has experimental support for Gitlab. Generate a personal access token from your profile settings (eg. https://gitlab.com/profile/personal_access_tokens), then run pyup from the cli:

# gitlab.com:
$ pyup --provider gitlab --repo=username/repo --user-token=

Custom Gitlab instance and GitHub Enterprise support

Pyup offer support for custom Gitlab instances and GitHub Enterprise via the provider_url option:

$ pyup --provider github --provider_url https://github.enterprise/api/v3 --repo=username/repo --user-token=
  
$ pyup --provider gitlab --provider_url https://your.gitlab/ --repo=username/repo --user-token=
  
   

# The alternative method to add a custom gitlab instance is still valid :
$ pyup --provider gitlab --repo=username/repo --user-token=
   
    @https://your.gitlab/

Disable verification of SSL certificate:

$ pyup --provider github --provider_url https://github.enterprise/api/v3 --repo=username/repo --user-token=
   --ignore_ssl
$ pyup --provider gitlab --repo=username/repo --user-token=
  
   @https://your.gitlab/ --ignore_ssl

Python 2.7

This tool requires latest Python patch versions starting with version 3.5. We did support Python 2.7 in the past but, as for other Python 3.x minor versions, it reached its End-Of-Life and as such we are not able to support it anymore.

We understand you might still have Python 2.7 projects running. At the same time, PyUp itself has a commitment to encourage developers to keep their software up-to-date, and it would not make sense for us to work with officially unsupported Python versions, or even those that reached their end of life.

If you still need to run PyUp from a Python 2.7 environment, please use version 1.0.2 available at PyPi. Alternatively, you can run PyUp from a Python 3 environment to check the requirements file for your Python 2.7 project.

Have you thought about adding other non-django requirement files into the pyup check? Most specifically I'm talking about the requirements file provided by hitchtest, which is found in "/hitch/hitchreqs.txt".

Maybe an option to define other folders/files within the project would do the job!

Private repository (private access enabled obviously). I pushed a new branch 'develop' to my repository and changed it to be the default. I closed a pull request and deleted the branch, however the new PR was still against the old 'master' branch (which is no longer default and has been set to be a protected branch). I have tried removing the repository from pyup.io and re-adding it and I still got the same behavior.

I had to add a .pyup.yml file with branch = develop to get the correct behavior but the docs state that pyup makes PR's against the default branch on the repository (usually master)

bug

I am unsure what my error is to cause the PyUP Web UI to render unusable (screenshot attached). I might try reversing the logic to only update: False on setup.cfg

I can't remove the .pyup.yml as I don't want setup.cfg to have it's dependencies updated / pinned.

What's my best way forward? This has also stopped any PRs being made. So I am sure my .yml is at fault here.

Said .pyup.yml: https://github.com/pypa/bandersnatch/blob/master/.pyup.yml Original yml - Before any PRs:

search: False
update: all

requirements:
  - requirements_docs.txt:
    update: all
    pin: True
  - requirements_test.txt:
    update: all
    pin: True
  - requirements.txt:
    update: all
    pin: True

assignees:
  - cooper

Screen Shot 2019-06-18 at 6 11 50 AM

The commit messages generated by pyup do not match the commit message requirements for one of my projects. Please add an option to specify the commit message. e.g.

# Configure the commit message template
# default: "Update ${packagename} from ${old_version} to ${new_version}"
# allowed variables: packagename, old_version, new_version
commit_message_template: "Requirements: Push ${packagename} to ${new_version}"

enhancement

I've been attempting to run the pyup bot myself, because I have a repo that I'm not comfortable giving the pyup.io service write access to. I was surprised to find that instead of creating an initial PR, it created an Issue (eg: https://github.com/testbhearsum/balrog2/issues/33) claiming everything was up to date already.

If I use the service, I get a PR like https://github.com/testbhearsum/balrog/pull/3 instead.

I did some digging and it appears that the multi-line format of my requirements files is causing some issues. After https://github.com/pyupio/pyup/blob/ad58c9bd3706065e21513b9bc41222b1488c6246/pyup/requirements.py#L188 is run, "parseable_line" ends up being something like: "asynctest==0.10.0 asynctest==0.10.0" -- which clearly is not correct.

I'm pretty sure my requirements files are OK, as pip parses them fine.

Trying to sync my repos I'm getting an alert: "An unknown error occurred. Please contact support at [email protected]."

Looking in the console, I'm getting a 500 response from https://pyup.io/account/repos/fetch-repos/ sure enough if I go to that url I get 500 too.

I got this the other day, I think it was intermittent then but seems to be constant now.

Hi @jayfk! We spoke via email a while ago about allowing for customizable commit messages; this PR is meant to implement that feature.

This commit allows for commit messages to be modified in .pyup.yml. The documentation will need to be updated with something like the following blob:

# configure commit messages for pinned dependencies
# default: "Pin {name} to latest version {new_version}"
# allowed: any string containing format strings {name}, {old_version}, and/or {new_version}
commit_msg_pin: "Pin {name} to latest version {new_version}"

# configure commit messages for un-pinned dependencies
# default: "Update {name} from {old_version} to {new_version}"
# allowed: any string containing format strings {name}, {old_version}, and/or {new_version}
commit_msg_update: "Update {name} from {old_version} to {new_version}"

I did not see any method of updating the docs from this code-base (did I miss something in docs/?), but would be happy to do that update if you could point me in the right direction.

Hello. I've noticed that the pyup-bot embeds a dependency's changelog in pull requests. For example, this version pinning PR of Django Rest Framework for the patchwork project. Because DRF's changelog references issues/PRs, your version pinning PR in turn creates a ton of cross-repository issue references. For example, you can see https://github.com/encode/django-rest-framework/pull/3288 which currently has 5 issue references from 5 separate pyup-bot PRs.

This isn't a huge problem yet since usage seems to be limited, but this will scale poorly at even tens or even hundreds of projects. A few possible fixes:

don't embed the changelog (after all, the PR already includes a link to the actual changelog).
wrap the embedded changelog in triple back ticks so GitHub doesn't create the issue references.
wrap the embedded hyperlinks and issue numbers in backticks (this seems like it would be error-prone).

Hi

In this PR: mozilla/treeherder#3784

The changelog section contains this URL: https://django-filter.readthedocs.io/en/master/guide/migration.htmlmigrating-to-2-0

Whereas the actual URL in the original changelog is: https://django-filter.readthedocs.io/en/master/guide/migration.html#migrating-to-2-0

I'm presuming the # was removed by the process that sanitizes the GitHub issue numbers (ie converts #123 to 123).

Please could the regex be tightened up, to avoid false positives?

bug

We're using Django, and they've updated to 2.0, but there is LTS for 1.11 until April 2020. We plan on using that (our libraries are not all up). Is there a way to specify that we want updates less than x.x - expiring on some date? If not, I request that feature.

new feature

Hello there,

I'm not sure it is the right place to ask any question. I hope it is...

I have a problem with this repository: https://pyup.io/account/repos/github/DEKHTIARJonathan/keras-datasets/

I have a massive Error - Unknown error and no idea what could have cause this ... I have tried to change a few things but nothing seems to have an effect ...

Thanks for the help buddies !

Best Regards,

Jonathan

Multiple packages providers prefer to define requires_python: ">=3.7" instead of individual Programming Language :: Python classifiers for each new version supported.

For example: https://github.com/pallets/werkzeug/pull/2528

pyup should detect this field when provided on pypy (eg: https://pypi.org/pypi/werkzeug/json) to avoid flagging packages as not supporting Python 3, when they are in fact strictly requesting it.

This would resolve similar problems identified in #202, #269

After installing pyup via pip and trying it out, I keep getting this AssertionError which is confusing as isinstance(base_url, str) shouldn't return None in this case. Does anybody know why it comes to that and/or how to fix this? Both the repo String and the user-token String are valid, I double checked that already.

Thanks in advance guys

pyup --repo=oliverweinm/MCBDD2022 --user-token=<REDACTED_HERE> --initial Traceback (most recent call last): File "/usr/local/bin/pyup", line 8, in sys.exit(main()) File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1130, in call return self.main(*args, **kwargs) File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1055, in main rv = self.invoke(ctx) File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1404, in invoke return ctx.invoke(self.callback, **ctx.params) File "/usr/local/lib/python3.9/site-packages/click/core.py", line 760, in invoke return __callback(*args, **kwargs) File "/usr/local/lib/python3.9/site-packages/pyup/cli.py", line 50, in main bot.update(branch=branch, initial=initial) File "/usr/local/lib/python3.9/site-packages/pyup/bot.py", line 121, in update self.configure(**kwargs) File "/usr/local/lib/python3.9/site-packages/pyup/bot.py", line 106, in configure repo=self.user_repo, File "/usr/local/lib/python3.9/site-packages/pyup/bot.py", line 38, in user_repo self._user_repo = self.provider.get_repo(token=self.user_token, name=self.repo_name) File "/usr/local/lib/python3.9/site-packages/pyup/providers/github.py", line 40, in get_repo return self._api(token).get_repo(name) File "/usr/local/lib/python3.9/site-packages/pyup/providers/github.py", line 32, in _api self.__api = Github(self.__token, base_url=self.url, timeout=50, verify=verify) File "/usr/local/lib/python3.9/site-packages/github/MainClass.py", line 123, in init assert isinstance(base_url, str), base_url AssertionError: None

bug

Recent reports seem to indicate false positive related to celery. https://pyup.io/repos/github/crim-ca/weaver/commits/?page=1#0d9d2e845c11a48a39cab0a73962ce87dae6428f

| Package | Installed | Affected | Info |
|---------|--------------|----------|-----------------------------------------------------------------------------------------------------------| | celery | 3.1.26.post2 | <5.2.0 | Celery 5.2.0 updates 'kombu' to v5.2.1, which includes dependencies updates that resolve security issues. |

I actually have version 4.4.2 pinned (as shown below) for quite a long time.

https://github.com/crim-ca/weaver/commit/4370852a5b27d3bfafd96f9e3df580f3c6d3da54 celery[mongodb]==4.4.2; sys_platform != "win32"

I only started getting issues last week (due to 5.2.x release), but it seems broken because my builds are not even able to find those versions on pypi. Anyway, the "installed" version is completely wrong, so something bad must be happening. Because I'm not even on the same major version, it is really hard for me to know if this is an actual security issue or just a detection problem on pyup side.

Currently there is no way to enable the integration flag which the providers uses to filter out some actions.

It is possible to run the bot using an oauth app e.g. via github actions, however it will fail due to having no access to endpoints such as /user/emails.

With this PR supplying the --integration will enable restricted tokens to function as expected.

Fixed #411

Currently you cannot execute the bot using a signed token from a GitHub app such as within GitHub actions due to the API calls which are gated by the integration flag.

Run pyup --provider=github --provider_url=https://api.github.com --repo=${GITHUB_REPOSITORY} --user-token=***
Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.9.5/x64/bin/pyup", line 8, in <module>
    sys.exit(main())
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/click/core.py", line 1137, in __call__
    return self.main(*args, **kwargs)
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/click/core.py", line 1062, in main
    rv = self.invoke(ctx)
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/click/core.py", line 763, in invoke
    return __callback(*args, **kwargs)
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/pyup/cli.py", line 50, in main
    bot.update(branch=branch, initial=initial)
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/pyup/bot.py", line 123, in update
    self.apply_updates(
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/pyup/bot.py", line 173, in apply_updates
    (pr for pr in self.pull_requests if
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/pyup/bot.py", line 62, in pull_requests
    self.req_bundle.pull_requests = [
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/pyup/bot.py", line 62, in <listcomp>
    self.req_bundle.pull_requests = [
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/pyup/providers/github.py", line 293, in iter_issues
    extra_kwargs["creator"] = creator.login
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/github/AuthenticatedUser.py", line 232, in login
    self._completeIfNotSet(self._login)
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/github/GithubObject.py", line 299, in _completeIfNotSet
    self._completeIfNeeded()
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/github/GithubObject.py", line 303, in _completeIfNeeded
    self.__complete()
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/github/GithubObject.py", line 310, in __complete
    headers, data = self._requester.requestJsonAndCheck("GET", self._url.value)
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/github/Requester.py", line 317, in requestJsonAndCheck
    return self.__check(
  File "/opt/hostedtoolcache/Python/3.9.5/x64/lib/python3.9/site-packages/github/Requester.py", line 342, in __check
    raise self.__createException(status, responseHeaders, output)
github.GithubException.GithubException: 403 {"message": "Resource not accessible by integration", "documentation_url": "https://docs.github.com/rest/reference/users#get-the-authenticated-user"}