Add lockfile for Dependabot
EricTRL opened this issue · 2 comments
EricTRL commented
Dependabot needs a lockfile in order to auto-create PRs that fix security vulnerabilities in our dependencies. Right now we need update libraries manually.
Dependabot can't update vulnerable dependencies without a lockfile
The currently installed version can't be determined.To resolve the issue add a supported lockfile (Pipfile.lock, pyproject.lock or poetry.lock).
helaan commented
I recommend Poetry: I've used it in the past and I find it a joy to use compared to venv+pip. If you want I can create a drive-by PR to migrate to poetry
EricTRL commented
That'd be awesome! 👍