First off, rely on automated tests to validate that the software still work as expected.

Python dependency upgrades

Question: What to do with dependabot PR on python repositories which propose to replace a dependency for example xxxx~=1.2.3` with xxxx>=0.13.3,<0.16.0:

• Should I skip them ?
• Should I try a specification with the ~= which matches dependabot proposition ?
• or you just blankly accept the dependabot PR ?

Response from one of our best python expert:

In general I prefer the pessimistic dependency operator ~=, and so would try to find one that fits within Dependabot's recommendation

For example, if my package depends on xxxx~=1.2.3 then if when pip install upgrades to 1.2.5 or 1.2.11 or 1.2.26, no problem! The 1.2 is the important part.

But then later if Dependabot says it should be xxxx>=0.13.3,<0.16.0, then there must be a problem (a security vulnerability or worse) with 1.2. In that case, I'd first figure out if 0.13.3 (or 0.14.x or 0.15.x) is compatible, and then replace Dependabot's recommendation with xxxx~=1.13.0 (or xxxx~=1.14.0 or xxxx~=1.15.0)