top | item 31839031

(no title)

jonchang | 3 years ago

Our solution to the infinite-backtracking pip dependency resolver was to instead rely on poetry to do dependency management via lockfiles. This way dependency resolution only needs to happen once, and oftentimes on CI through dependabot version bumps. This also has the advantage of ensuring that the exact dependency tree is mirrored on developer machines and on production servers.

I also helped work on python app dependency resolution in Homebrew. For apps (i.e. not libraries) written in python, Homebrew vendors the full dependency tree as formula resources. However this was a fully manual process for a while and relied on maintainers laboriously copy and pasting URLs from pyPI, checking requirements.txt and so on. We instead transitioned to a system that used pipgrip to do dependency resolution (and helped report a few bugs) so that all of this could happen automatically instead.

It's kind of sad that all of these are built outside of the pip team, but I imagine in a few years pip will be good enough to replace both of these use cases.

discuss

No comments yet.