Bound versions and start using Dependabot (!679) · Merge requests · Vicentini Filippo / netket

Vicentini Filippo requested to merge PhilipVinc/Dependabot into master May 04, 2021

Created by: PhilipVinc

What this will do is that we block versions for packages in the following ways:

For stable projects such as numpy, scipy, networkx, orjson and tqdm we trust them not to break stuff and allow their current major version (eg 1.20.3 for numpy), and we will accept any version before 2.0
For stable pre-1.0 projects such as numba, that are at version 0.53.2, we trust them not to break anything in patch releases (eg 0.53.4) but we don't accept 0.54.
For funky projects like Jax, we don't trust them no more. We only allow the versions we know to work.

This means that every time jax releases a new version, Dependabot will open a PR allowing the new version, CI will run, if it passes we can merge it. We then need to tag a release, otherwise people cannot use new jax with netket. (I mean, they can if they install it manually after installing netket, but they won't be automatically installed together).

I don't know if this is exactly what we want, but jax is breaking tiny stuff on which we rely at every patch release, such as changing name of some function, moving them around or I don't know what.

Bound versions and start using Dependabot

Merge request reports