Bump sentry-sdk from 1.6.0 to 1.9.0

[krysal]

Description

It's curious that dependabot hasn't updated this before. I followed instructions in the pypa/pipenv#2665 (comment) suggested by @sarayourfriend.

Checklist

• My pull request has a descriptive title (not a vague title like Update index.md).
• My pull request targets the default branch of the repository (main) or a parent feature branch.
• My commit messages follow best practices.
• My code follows the established code style of the repository.
• I added or updated tests for the changes I made (if applicable).
• I added or updated documentation (if applicable).
• I tried running the project locally and verified that there are no visible errors.

Developer Certificate of Origin

Developer Certificate of Origin

Developer Certificate of Origin
Version 1.1

Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
1 Letterman Drive
Suite D4700
San Francisco, CA, 94129

Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.


Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.

[obulat]

Isn't * supposed to mean the latest version? Why is it using 1.6.0 when 1.8.0 is available?🤔
Pressed approve accidentally...

[obulat]

There's a problem with hashes in CI:

#15 86.98 [pipenv.exceptions.InstallError]:   Using cached sentry_sdk-1.8.0-py2.py3-none-any.whl (153 kB)
#15 86.98 [pipenv.exceptions.InstallError]: ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
#15 86.98 [pipenv.exceptions.InstallError]:     sentry-sdk==1.8.0 from https://files.pythonhosted.org/packages/32/63/f3e04e5d34fc110aa1ff323c8936c922a4a2d9ac988391b60410c3fc17f2/sentry_sdk-1.8.0-py2.py3-none-any.whl#sha256=5daae00f91dd72d9bb1a65307221fe291417a7b9c30527de3a6f0d9be4ddf08d (from -r /tmp/pipenv-dg6ymxx4-requirements/pipenv-uypevpgz-requirement.txt (line 1)):

[sarayourfriend]

To fix the error Olga found, I think we should follow the steps in this comment: pypa/pipenv#2665 (comment)

[github-actions]

API Developer Docs Preview: Ready

https://wordpress.github.io/openverse-api/_preview/825

Please note that GitHub pages takes a little time to deploy newly pushed code, if the links above don't work or you see old versions, wait 5 minutes and try again.

You can check the GitHub pages deployment action list to see the current status of the deployments.

[krysal]

Isn't * supposed to mean the latest version? Why is it using 1.6.0 when 1.8.0 is available?🤔

I had precisely the same doubt... 🤷🏻‍♀️ And now the v1.9.0 is out. Tried to avoid updating more packages but seems impossible if we need to lock the Pipfile. Anyway, the rest updates are at most minor changes, so It's not such a drastic change at least.

[obulat]

Lgtm!

[sarayourfriend]

It seems that all dependencies got updated, not just sentry-sdk. This is how Pipenv does things by default and it takes extra effort to prevent it from doing so.

Do we care? Do we want to be more precise? We could copy the Pipfile updates for sentry-sdk entry only, but we'd miss transient dependencies that updated as well in that case 😞

[sarayourfriend]

Requesting changes just to make sure we're confident in the changes we're making in this PR. If we are, feel free to dismiss and request a re-review with details of the plan here.

[krysal]

Doesn't seem to be any way to prevent it, when I ran pipenv lock all the other dependencies were updated as well, so --selective-upgrade is meaningless.

We could copy the Pipfile updates for sentry-sdk entry only

I believe that will still leave the Pipenv.lock file in an "out of date" or inconsistent state, maybe? Because it uses a hash to verify the dependencies are aligned I believe.

[sarayourfriend]

I'm not sure what selective upgrade is meant to do 🤔

This comment makes me think it is possible to upgrade just a single package following the manual copying flow: pypa/pipenv#2665 (comment)

It's pretty annoying though... but updating all at once is arguably risky? Do other folks feel okay with upgrading all dependencies in one go?

[krysal]

It is very annoying indeed and seems risky since it needs to be repeated manually for dependencies of the updated package, but given that sentry-sdk is kind of isolated, I tried and it seems to work fine, which is weird but ok?

but updating all at once is arguably risky? Do other folks feel okay with upgrading all dependencies in one go?

It's a bit risky but is what we have been doing with dependabot updates all this time anyway 🤷🏻‍♀️ We'll see it again on Monday. We have been relying mostly on tests to catch any possible breaking change until now.

[sarayourfriend]

Looks good to me this way.

FWIW, I'm not sure how Dependabot does it but it does only update the specific dependencies and not any others. You can see that in this PR: https://github.com/WordPress/openverse-api/pull/794/files

Only boto3 and its dependencies have hashes updated.

[krysal]

Is it faker a dependency of boto3? They're not even in the same block, faker is a dev dependency and it bumps from 13.14.0 to 13.15.0 there.

You can see this other dependabot PR #739 (files) where it says it updates only pillow but includes elasticsearch, redis faker again and a bunch of other packages.

[sarayourfriend]

Wow, so it is. That is really wild. Am I missing something? I don't understand why a dependency management tool would work this way.