Status

StateCompleted
Discussion ThreadAIP-9 Automated Dependency Management
JIRA
Created

2019-01-12

In Release2.0.0

Motivation

Airflow has a large number of dependencies and this won't decrease. I think there are many dependencies that probably can be updated without breaking our code.
But how do we know which of them can be updated and which can't? At the moment we do it manually by creating a PR but wouldn't it be better if we could automate this.
So we can be sure that we have dependencies with always its latest version that works for us.
Not only that, it can also improve airflow's security by showing current vulnerabilities of these dependencies.

Considerations

There are free tools for open source projects to automate this like pyup or dependabot.

They can just be added / granted access to an open source project and then you are good to go.
It will then automatically create a PR when there are updates to a specific dependency.