Explore dependabot

[jamie-cunningham]

Look into activating dependabot on this repository for code security and automatic dependency management

[jamie-cunningham]

Early looks show some conflicts with dependabot and poetry. It appears dependabot has confirmed support for PEP 621 while poetry is waiting until its v2.0.0 release to support the updated PEP standard

[jamie-cunningham]

Note the main branch on the poetry repo does list the version as 2.0.0.dev0 and includes a commit with PEP 621 support so there may be a path if we want to use a potentially unstable poetry version. This seems not worth it at the moment?

[jamie-cunningham]

It could also be the case that with the latest PEP updates poetry is no longer the best toolchain?

[jamie-cunningham]

I've just learned about uv, a python project manager designed by the creators of Ruff. At the risk of jumping on the shiniest bandwagon this may be a good option to explore if it is PEP 621 compliant and provides the features we want.

@keatincf I'd be curious if you have an opinion on this.

[keatincf]

I played around with uv on a related project. It's pretty nice, but I did run into an issue with dependency checks not working quite the same between uv and poetry. I don't remember what dependency was specifically causing an issue, but something about how it was being defined ended up causing the dependency compatibility check to fail when using uv, but not with poetry.

That being said, having this project use uv shouldn't introduce issues for projects that depend on this project. I would probably switch to uv in a separate issue. We'd need to get folks up to speed on uv and its usage before switching over, as well as figuring out a good development environment setup.