Replace custom pip freeze script with pip-tools
#207
Conversation
lfdebrux
force-pushed
the
ldeb-use-pip-tools
branch
from
daf2e6c
to
2b1df8a
Compare
lfdebrux
force-pushed
the
ldeb-use-pip-tools
branch
2 times, most recently
from
3914dd1
to
ed476eb
Compare
That's a good question, and I'm not sure of the answer. Looking through the open issues for pip-tools I can't see anything like this. However, I do note that the README for
which is interesting. That said, |
|
One thing to note, I don't know how well PyUp works with pip-tools (this open issue from 2017 seems to suggest not at all). So I think makes more sense to adopt pip-tools and Dependabot together. Alternatively we could do what we were doing before and run |
lfdebrux
force-pushed
the
ldeb-use-pip-tools
branch
from
09bcdf4
to
44d2573
Compare
|
Am I right in thinking we no longer have the test step that forces a re-freeze if the |
That's correct. We could add it using a Make rule that looks at the timestamps of |
|
Please god no not timestamps. |
|
We could write the hash of the last-frozen |
In the past we've avoided using out-of-the-box solutions for Python dependency resolution because a) they haven't been very mature and b) we've had lots of issues with version conflicts. See [[1]], [[2]] for details. Instead, we've been using a custom Python script that under-the-hood runs `pip freeze` and saves the output to `requirements.txt`. This script works well for us, but it doesn't integrate well with other tools. On the other hand [`pip-tools`](https:/jazzband/pip-tools) as of 2020 seems to be well-supported by its maintainers and other tools; for instance, GitHub's automated update service [Dependabot](https://dependabot.com) supports `requirements.in` files. At the same time, we've been better at keeping our dependencies up-to-date and fixing version conflicts, so there is no longer any issue caused by using `pip-tools` to generate our `requirements.txt` file. I think it's time to give `pip-tools` another chance :) This commit replaces our script `dmutils.repoutils.freeze_requirements` with `pip-compile`, and changes our `requirements-app.txt` file to be `requirements.in` to meet `pip-tools` convention. There are also separate `requirements-dev.in` and `requirements-dev.txt` files for dev requirements, following the [layered requirements example in the `pip-tools` README][3]. [1]: https://gds-way.cloudapps.digital/manuals/programming-languages/python/python.html#applications [2]: Crown-Commercial-Service/digitalmarketplace-api@95ac122 [3]: https:/jazzband/pip-tools#workflow-for-layered-requirements
lfdebrux
force-pushed
the
ldeb-use-pip-tools
branch
from
44d2573
to
77d785e
Compare
Is this a feature that lots of people want? @katstevens @benvand what are your thoughts? |
Sounds good to me, but we can introduce it in a separate PR? |
|
Yeah I don't think it's immediately critical. |
In the past we've avoided using out-of-the-box solutions for Python dependency resolution because a) they haven't been very mature and b) we've had lots of issues with version conflicts. See [1], [2] for details. Instead, we've been using a custom Python script that under-the-hood runs
pip freezeand saves the output torequirements.txt.This script works well for us, but it doesn't integrate well with other tools. On the other hand
pip-toolsas of 2020 seems to be well-supported by its maintainers and other tools; for instance, GitHub's automated update service Dependabot supportsrequirements.infiles.At the same time, we've been better at keeping our dependencies up-to-date and fixing version conflicts, so there is no longer any issue caused by using
pip-toolsto generate ourrequirements.txtfile. I think it's time to givepip-toolsanother chance :)This PR is a straw-person to explore using
pip-toolsinstead. It replaces our scriptdmutils.repoutils.freeze_requirementswithpip-compile, and changes ourrequirements-app.txtfile to berequirements.into meetpip-toolsconvention. There are also separaterequirements-dev.inandrequirements-dev.txtfiles for dev requirements, following the layered requirements example in thepip-toolsREADME.As part of this, I've also loosened/removed the constraints in the parent requirements files, so we end up with something like the spec/lockfile pattern in tools such as Bundler and NPM. This appears to be the best way of using
pip-tools.In my mind the advantages are a cleaner interface for maintaining requirements files, and better integration with tools in the future. We could also remove our own custom code! There are a couple of extra steps we could take, such as asking
pip-compileto save hashes, and usingpip-syncto install requirements in our local development virtualenvs.