New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please don't require exact versions in requirements #101
Comments
BTW, thanks for this module. It's going to make a current project a lot easier. :) |
Continuing since this resurfaced with #228: I've had problems with non-pinned versions in the past, especially since pip's primitives when it comes to specifying version ranges are fairly limited in my opinion (compared to npm, for example). I'm inclined to say: call us out / send patches if pinned versions are getting unreasonably old, and use virtualenvs as much as possible since they will save you a lot of trouble. I'm happy to discuss this further, I may be missing some valid counter-arguments, but I genuinely believe unpinning versions will be worse for everyone (maintainers and users) in the long run. |
@shin- virtualenvs don't solve this problem if someone has something that depends on docker-py and one of your pinned dependencies; you'll still be forcing them to use a particular version of that dependency. Perhaps not a problem right now, but imagine a situation where a version of requests is released which introduces a new feature and a (perhaps unknown) regression, both unrelated to how docker-py uses it. Do you accept the PR from person A which bumps your pin up? What do you do when person B opens a PR reverting that change because the regression breaks their app? And then what does person A do with their codebase that is using this shiny new requests feature? If you specified a minimum version that you require (rather than pinning at a specific version), then person A could use the shiny new feature and person B could stick with the version before regression. |
In that example, my opinion is that person B should either update their code to support the newest version of requests, or stick with an older version of docker-py that doesn't require said version of requests. If they're okay with an "outdated" version of requests why wouldn't they be okay with an "outdated" version of docker-py? |
So, as I mentioned on #218, I'm looking into this specifically in the context of packaging the library. Currently, "python-websocket" is at 0.12 in Debian (which is the package for websocket-client), but the dep here is |
At the risk of repeating myself, best practice:
Pinning library dependencies to specific versions makes it hard to reuse the library. |
You should heed sound advice, born of great experience, gently offered twice. |
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
It's a good idea to pin requirements in applications.
It's a bad idea to pin requirements in libraries. Doing so makes reusing libraries difficult. If you have minimum requirements, that's fine.
The text was updated successfully, but these errors were encountered: