feat: relax dependencies in pyproject.toml and add a requirements.txt #2669
Conversation
|
@microsoft-github-policy-service agree [company="Preset Inc."] |
|
@mistercrunch the command you issued was incorrect. Please try again. Examples are: and |
| @@ -0,0 +1,8 @@ | |||
| # This file was autogenerated by uv via the following command: | |||
| # uv pip compile pyproject.toml -o requirements.txt | |||
| greenlet==3.1.1 | |||
There was a problem hiding this comment.
What I'm worried about here is that when e.g. greenlet 3.1.2 comes out, which includes e.g. a breaking change or a bug for some reason, our CI would still run with 3.1.1 and not install the bad version.
Why is the requirements.txt file needed at all in this case? To provide reproducible builds?
There was a problem hiding this comment.
our CI would still run with 3.1.1
Right, this is currently the case. But now you can enable @dependabot, who will auto-submit PRs periodically as new versions of dependencies come out. Those PRs will run your CI, so you can confirm that bumping is safe.
To provide reproducible builds?
Yes, so you get reproducible builds, and you let people who use your library choose their version within the specified range in pyproject.toml . Say in our case for Apache Superset, we have multiple other dependencies that rely on greenlet, each one specifying a know version range.
About the topic of maintaining the range, clearly you'll be running-CI only against what's in the pinned file. If/when people report something like "playwright doesn't work on top of greenlet>=5.0.0", as a maintainer you typically want to go and edit the known working range in pyproject.toml. Meaning we'd change the rule to greenlet>=3.1.1,<5.0.0 then, and dependabot would respect that rule, only submitting PRs to bump within the specified range.
| @@ -13,8 +13,8 @@ license = {text = "Apache-2.0"} | |||
| dynamic = ["version"] | |||
| requires-python = ">=3.9" | |||
| dependencies = [ | |||
| "greenlet==3.1.1", | |||
| "pyee==12.1.1", | |||
| "pyee>=12.1.1", | |||
There was a problem hiding this comment.
Make sure to relax the version in the meta.yaml as well for our conda customers.
There was a problem hiding this comment.
mmmmh yeah it's not great for this to not be DRY. I'm not familiar enough with conda to know the best practices on that side of the fence. Here's a related GPT thread discussing the different options/pros/cons -> https://chatgpt.com/share/67476ce2-0288-8010-bc05-e20ff72d15c0
There was a problem hiding this comment.
I don't like the fact conda doesn't seem to be compatible with dependabot. Is it a requirement to support conda? Seems it's fading https://theregister.com/2024/08/08/anaconda_puts_the_squeeze_on/
Related to this: #2666
uvas it seems it's what the cool kids are using nowadays.github/workflows/and modified so that it would install the pinned filesNOTE:
local-requirements.txtfile and addeduvto it, though I'd recommend moving tooptional-dependenciesin pyproject.toml, maybe as unpinned there, and generate a requirements-dev.txt or similar from there. Though not super important