Dependabot can't update vulnerable dependencies without a lockfile

Question

Dependabot can't update vulnerable dependencies without a lockfile

Closed this issue 2 years ago · 1 comments

Describe the bug
Dependabot can't update vulnerable dependencies without a lockfile. The currently installed version can't be determined. To resolve the issue add a supported lockfile (Pipfile.lock, pyproject.lock or poetry.lock).

It's blocking Dependabot from updating pillow on the last 20 days and will block other updates in the future.

Answer 1 · 2022-07-07T12:40:26.000Z

Poetry would be a nice addition for Jandig, this way we can create a poetry.lock and manage dependency upgrades and versions much better than now! 👍🏽