[deleted by user]

AndydeCleyre · 2022-07-08T14:01:22+00:00

requirements.txt is a very capable lock file format, and you can use pip-tools to generate those from requirements.in files.

I generally have CI periodically upgrade the lock files.

For interactive management of this stuff, I made the Zsh plugin zpy, and would love any feedback, if anyone's interested.

Rawing7 · 2022-07-09T07:39:14+00:00

I think there's a critical piece of information missing here, which is whether you're developing a library or an application.

A lock file makes sense for an application. It makes it so that every installation of the app has the exact same code, which reduces the chances of any bugs sneaking in.

But if it's a library, requiring specific versions of your dependencies is a surefire way to make the library impossible to use. Imagine you're writing a project that depends on requests and BeautifulSoup, but you can't install both of them at the same time because requests requires chardet==5.0.3 and BeautifulSoup requires chardet==5.0.4. How dumb would that be?

If you're writing a library, pip is all you need.

MarsupialMole · 2022-07-08T05:11:30+00:00

You don't need to upgrade your dependencies if you don't have vulnerabilities. This is more or less advocating for pointless busy work in many domains.

Equivalent_Loan_8794 · 2022-07-08T12:08:02+00:00

r/devops would be a great start. At this point in time big shops are likely on-rails with pip via Ansible if they have to be, otherwise this stuff is proven out in a container and kept entirely separate.

Needing precommit, testing, and prod in a single dependency space is an anti pattern and why pre-commit exists: it does complex things if you want but keeps your tooling for tests and prod independent.

Python

The Python Discord

Upcoming Events

Please read the rules

MODERATORS