Dependabot can't update vulnerable dependencies without a lockfile
Closed this issue · 1 comments
vjpixel commented
Describe the bug
Dependabot can't update vulnerable dependencies without a lockfile. The currently installed version can't be determined. To resolve the issue add a supported lockfile (Pipfile.lock, pyproject.lock or poetry.lock).
It's blocking Dependabot from updating pillow on the last 20 days and will block other updates in the future.
pablodiegoss commented
Poetry would be a nice addition for Jandig, this way we can create a poetry.lock and manage dependency upgrades and versions much better than now! 👍🏽