MAINT: Bump conda-lock from 2.5.7 to 3.0.1

[dependabot]

Bumps conda-lock from 2.5.7 to 3.0.1.

Release notes

Sourced from conda-lock's releases.

v3.0.1

What's Changed

This release fixes two longstanding issues with the stripping of authentication credentials:

• ✅ --strip-auth used to disable --check-input-hash for no good reason
• ✅ private PyPI repositories running on a non-standard port would have the port stripped from the URL along with credentials

There is only one known regression in v3, and it only affects --check-input-hash. The fix is still in progress in #797.

• ❌ clean lockfiles created by v2 are mistaken as dirty in v3 with --check-input-hash.

Bugfixes

• Make --check-input-hash work when conda-lock lock --strip-auth --check-input-hash ... is used by @​peterbygrave in conda/conda-lock#792
• Don't also strip port when stripping credentials from a URL by @​maresb and @​eflebus in conda/conda-lock#800

Maintenance

• Add type annotations for content_hash computation by @​maresb in conda/conda-lock#799

Full Changelog: conda/conda-lock@v3.0.0...v3.0.1

v3.0.0

What's Changed

Conda-lock v3 introduces support for mamba / micromamba v2, and includes several important bugfixes.

Only mamba / micromamba versions =2.0.7 are supported. (2.0.0–2.0.6 are incompatible.) To see which executable conda-lock is detecting, you can add the argument --log-level=DEBUG.

The only intended breaking change is to require at least Python 3.9 (previously 3.8). There are several major underlying changes to be aware of:

• The PyPI solver has been updated to Poetry v2.0.1. (conda/conda-lock#637, conda/conda-lock#678, conda/conda-lock#685, conda/conda-lock#769)
• Lockfiles now support dependencies with multiple categories. (conda/conda-lock#697)

pixi

Pixi is an innovative new tool for Conda projects that includes lockfile support. While the project-centric philosophy of pixi is different from the environment-centric approach of conda-lock, in many cases it offers a compelling alternative to conda-lock. For a discussion of conda-lock vs pixi, see conda/conda-lock#615.

Conda-lock v3 includes a new render-lock-spec subcommand capable of exporting conda-lock lock specifications (including ordinary pyproject.toml files) to pixi.toml configurations. See the pixi migration guide for more information.

Detailed changelog

New features

• Support Multiple Categories for Sub-Dependencies in Lockfile (Rebase #390) by @​srilman in conda/conda-lock#697
• Sort BaseLockedDependency.dependencies when alpha-sorting a Lockfile by @​peterbygrave in conda/conda-lock#654
• Add support for PEP 508 environment markers by @​maresb in conda/conda-lock#684
• Improve loading of PyPI mapping by @​maresb in conda/conda-lock#690
• Add render-lock-spec subcommand for exporting lock specification to pixi.toml by @​maresb in conda/conda-lock#664

... (truncated)

Commits

• dfdf3af Merge pull request #800 from maresb/fix-url-stripping
• 688cae1 Fix credential stripping in the test
• 1ebbccd Fix credential stripping with port
• faff1e4 Test private repos on non-default port
• 2899ece Add doctest for _get_stripped_url
• a4549a2 Rename _get_url to _get_stripped_url
• 6bf8aae Merge pull request #792 from peterbygrave/patch-1
• f5323e7 Merge pull request #799 from maresb/content-hash-type-hints
• b3ec4cc Remove unused imports
• ba6a1fb Make virtual_package_repo argument explicit in confusing test
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Reviewers

The following teams could not be added as reviewers: core-devs. Either the team does not exist or it does not have the correct permissions to be added as a reviewer.

Labels

The following labels could not be found: 03 - Maintenance, Build / CI, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

The reviewers field in the dependabot.yml file will be removed soon. Please use the code owners file to specify reviewers for Dependabot PRs. For more information, see this blog post.

[dependabot]

Superseded by #30.