-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove Pipfile.lock or add some CI tests #1032
Comments
I am not sure I know anyone who uses the lock file -> if you do actively use it please speak up :) I am also not sure what the benefit is of having a fully pinned dev environment. Our users can't install a fully pinned environment/we don't provide the information to them, so we should be testing and developing with "loose" dependencies as well. If repo2docker breaks because of this, this is a bug that needs fixing instead of pinning a dependency precisely to some specific version. (For deploying/running repo2docker you might want a fully pinned environment but that use case isn't covered by the lock file, I think.) |
- Seem unused - definitely not updated. - I think pipenv has also lost a lot of its popularity over the last year or two Fixes jupyterhub#1032
- Seem unused - definitely not updated. - I think pipenv has also lost a lot of its popularity over the last year or two - This does not affect the Pipfile *buildpack*, so repos we build that have a Pipfile will not see any difference Fixes jupyterhub#1032
dependabot has opened some updates against
Pipfile.lock
, including:My understanding of
Pipfile.lock
is it allows you to have a fully reproducible working dev or test environment, but this implies we shouldn't merge dependency bumps to this file without testing them since semver compatible bumps may still contain bugs or unexpected interactions with other packages.At the moment it's not tested in our GitHub workflows.
@betatim suggested removing it:
What does everyone else think? If we want to keep it is someone willing to ensure it's tested so we can just click Merge on dependabot PRs?
The text was updated successfully, but these errors were encountered: