✨ Refactor requirements.txt and remove security vulnerabilities (#255)

* Requirements.txt changes Signed-off-by: JonahSussman <sussmanjonah@gmail.com> * Updated workflow to compile requirements.txt Signed-off-by: JonahSussman <sussmanjonah@gmail.com> --------- Signed-off-by: JonahSussman <sussmanjonah@gmail.com>
konveyor · Aug 2, 2024 · 115939c · 115939c
1 parent 1a24df6
commit 115939c
Show file tree

Hide file tree

Showing 3 changed files with 527 additions and 155 deletions.
diff --git a/.github/workflows/test-code-on-pr.yml b/.github/workflows/test-code-on-pr.yml
@@ -12,8 +12,6 @@ jobs:
         # os: [ubuntu-latest, windows-latest, macos-latest]
         os: [ubuntu-latest, macos-latest]
 
-        # TODO: After merging #255, we should probably change it so we use
-        # `requirements.in` over `requirements.txt`.
         python-version: ["3.12"]
 
         # Github actions only supports x64 architecture for now, arm64 is in a
@@ -34,12 +32,11 @@ jobs:
           python-version: ${{ matrix.python-version }}
           architecture: ${{ matrix.architecture }}
           cache: pip
-          # After merging #225, use this as the cache instead. The cache merely
-          # uses a hash of a specified file to determine if it needs to update
-          # cache-dependency-path: requirements.in
+          cache-dependency-path: requirements.in
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip setuptools wheel coverage
+          python -m pip install --upgrade pip setuptools wheel pip-tools
+          pip-compile --allow-unsafe
           pip install -r requirements.txt
       - name: Set up prerequisites
         run: |

diff --git a/requirements.in b/requirements.in
@@ -0,0 +1,51 @@
+# To generate a new requirements.txt:
+#   $ pip install pip-tools
+#   $ pip-compile --allow-unsafe
+
+# To view requirements.txt's dependencies in a tree format:
+#   $ pip install pipdeptree
+#   $ pipdeptree > deps.txt
+# (optional if you have yq installed)
+#   $ pipdeptree --json-tree | yq -P > deps.yaml
+
+# --- Main dependencies ---
+
+aiohttp==3.8.6; python_version < '3.12'
+aiohttp==3.9.3; python_version >= '3.12'
+gitpython==3.1.43
+pydantic==2.8.2
+pydantic-settings==2.3.4
+requests==2.32.3
+pygments==2.18.0
+python-dateutil==2.8.2
+sqlalchemy==2.0.22
+psycopg2-binary==2.9.9
+ibm-generative-ai==2.2.0
+Jinja2==3.1.4
+langchain==0.2.11
+langchain-community==0.2.10
+langchain-openai==0.1.17
+langchain-experimental==0.0.63
+gunicorn==22.0.0
+tree-sitter==0.22.3
+# Fabian's fork has changes that fix some async issues in the real vcrpy that
+# are yet to be accepted
+vcrpy @ git+https://github.com/fabianvf/vcrpy.git@httpx-async-threadpool
+python-dotenv==1.0.1
+pyyaml==6.0.1
+
+# --- Testing dependencies ---
+coverage==7.6.0
+
+# --- For notebook development ---
+jupyter==1.0.0
+jupyterlab-quarto==0.3.5
+nbdev==2.3.13
+
+# --- Possibly can be removed ---
+async-timeout==4.0.3
+asgiref==3.7.2
+click==8.1.7  # For potential CLI stuff
+typer==0.9.0  # For potential CLI stuff
+loguru==0.7.2  # For potential logging improvements
+unidiff==0.7.5