sbidoul / pip-deepfreeze Goto Github PK
View Code? Open in Web Editor NEWA simple pip freeze workflow for Python application developers
License: MIT License
A simple pip freeze workflow for Python application developers
License: MIT License
uv supports overrides, and pip may support them at some point.
Design
overrides.txt
requirements*.txt
from overrides.txt
-o
(uv only for now)When using --update DEP
it could be useful to also update transitive dependencies of DEP
.
When pip
, setuptools
, wheel
and distribute
, they are never present in locked requirements.
This is because pips omits them by default in pip freeze
output.
We change to call pip freeze --all
but never propose to uninstall these as they may be necessary to build legacy projects without build isolation.
pip now builds in an isolated environment when wheel is absent, so no need to warn about it.
This is important to avoid blocking silently.
The script that inspects the content of the environment currently relies on pkg_resources
, hence setuptools
. In modern packaging, setuptools
is not necessarily installed in the virtual environment. So we should have a mode that works with importlib[._]metadata
.
Pip constraints have limitations, especially with the new resolver.
To reproduce, create a project with a setup.py
and pip-df sync
it.
Then add and extras_require
with an extra named, say, dev
.
Then run pip-df sync -e dev
. It complains that dev
is not an extra of the project.
To make it work, you need to pip uninstall
the project then pip-df sync
again.
Instead of our pip_list_json.py
script. This will also resolve #54.
From the FAQ: pip-deepfreeze erroneously complains python is not running in a virtualenv.
The most probable cause is that you used an older version of virtualenv which does not generate PEP 405 compliant virtual environments. virtualenv version 20 and later are supported, as well as the Python 3 native venv module. Should this problem be prevalent in practice, we may add support for older virtualenv versions, or add an option to ignore the virtualenv sanity check (which is only there to prevent pip-deepfreeze to corrupt the system Python packages by accident).
To control debug level logging
Looks like the packaging community is moving to tomli, which is smaller and fully toml 1.0 compliant.
How to reproduce:
packaging
packaging<20.1
=> stack trace pkg_resources.VersionConflict
Github allows you to reference a pull request as a hidden ref you can fetch. This feature is useful to keep a log of you open PR required by your project.
In order to declare a dependency to a new patched version of one of my project's dependencies, I've added into my requirements.txt.in the following line:
odoo10-addon-account-banking-mandate @ git+https://github.com/oca/bank-payment.git@refs/pull/727/head#subdirectory=setup/account_banking_mandate
and used the update command to install and freeze this new version of my dependency
pip-df sync --update odoo10-addon-account-banking-mandate
(PR from acsone/bank-payment to oca/bank-payment)
At the end of the process, the dependency is correctly installed however the updated entry into my requirements.txt
file is not right. Indeed, even if the sha is the right one, the ORG into the github url is the one on which the pr has been made not the one from which the changes are submitted....
odoo10-addon-account-banking-mandate @ git+https://github.com/oca/bank-payment.git@84d5fd2cc8c9bbca6b036ad5f8d87776d1b3fdad#subdirectory=setup/account_banking_mandate
Is-it a know limitation or a bug?
What criteria to detect a safe situation?
What if in a virtualenv with system site packages?
requirements.txt.in
is somewhat misnamed, as it actually contains pip constraints and options.
constraints.txt
would more accurately reflect what the file is for, i.e. constraining dependencies when it is not practical or desired to put such constraints in pyproject.toml
project.dependencies
.
When a new dependency is added to the project, and it is already installed while not being part of requirements.txt
, using --update
or --update-all
may not update it to the latest available version.
This is a very edge case that is probably not an issue in practice.
When running pip-df sync -e
with unknown extras, an assertion error is raised.
The desired behaviour is to warn the user but otherwise ignore the unknown extras.
It would appear that pip-deepfreeze
tries to install the local package in editable mode:
pip install -e .
Unfortunately, I have a case where this does not work reliably. The reason being that I have multiple local packages which pip
does not resolve well. The reason being that pip
believes packages to be conflicting if one package is installed in editable mode, and the other is installed in non-editable mode from a path. There are also issues where pip
believes there is a conflict if the paths are not identical (e.g. /src/pkg-b/../pkg-a
and /src/pkg-a
are the same, but pip
will see a conflict).
I could not see an option with pip-deepfreeze
to allow a non-editable installation. Could this be added behind a flag?
This will need to be implemented in pip freeze first.
Currently, the naming scheme of generated requirement files is hard coded (requirements.txt
, requirement-{extra}.txt
) and is generated for the platform/interpreter on which pip-deepfreeze runs.
It might be useful to have an optional naming scheme that includes platform/interpreter information.
This could be done by providing pip-deepfreeze
with a target pip command in addition to a target python interpreter.
That pip command could then be target-pip --python {target-python} ...
.
Developers typically need to remember to use pip-df sync -x test,dev
. This is not optimal.
Two possibilities:
pyproject.toml
, in a tool.pip-deepfreeze
section.tool.pip-deepfreeze.min_version
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.