Move away from the xdg package

[stdedos]

Description

https://pypi.org/project/xdg/:

xdg has been renamed to xdg-base-dirs due to an import collision with PyXDG. Therefore the xdg package is deprecated. Install xdg-base-dirs instead.

tl;dr: you'd need to change this

autoimport/pyproject.toml

Line 34 in f0ac03d

"xdg>=5.1.1",

(and that

autoimport/pyproject.toml

Line 382 in f0ac03d

"xdg",

)

and then this

autoimport/src/autoimport/entrypoints/cli.py

Line 9 in f0ac03d

import xdg

to xdg_base_dirs (and the one reference ofc 😅)

[lyz-code]

Hi @stdedos thank you for opening the issue and pointing out the solution. Will fix it as soon as I can. Maybe if you make a PR the fix will be implemented sooner (although I think the CI is broken right now :( )

[lyz-code]

Working on it right now

[lyz-code]

I'm afraid that we can't migrate to xdg-base-dirs because they only support Python >= 3.10 and We support all active Python versions (right now >=3.7). The devs suggest not to migrate from xdg if you need support for those versions.

I'm adding a comment on the code to migrate away once support for 3.9 is dropped. We use the library literally for one line, I don't think we'd need the features of the new package nor think it's probable that we hit a critical vulnerability running xdg.xdg_config_home().

Therefore I'm closing the issue, but if you think of a better solution I'm fine reopening it again

[stdedos]

Can you try to use https://pypi.org/project/pyxdg/ for the <3.10 versions?
(That might be harder; I can try to PR that for you maybe this weekend if you want)

My concern is not "vulnerabilities"; my real issue is

import collision with PyXDG.

Ofc I could've used a venv for https://github.com/lyz-code/autoimport/ to make this problem go away. However, I have a logical gap:

1. idk how can I have it in a venv. I create per-project venvs, or use the local-installation for "my user stuff" (e.g., pudb, ipython etc)
2. I don't see a reason why would I install that in a project-venv, when I want to use it across projects --> therefore, include it in any requirements.txt (or equivalent) makes no sense to me
3. It doesn't seem reasonable to me to manually install it every time in a venv

[lyz-code]

For these kind of tools I use pipx which automatically creates an virtualenv for everything you install, while it keeps it easy to update them all. This may solve your problems 1. 2. and 3.

Adding PyXDG for Python <3.10 and xdg-base-dirs for Python >3.10 looks an unnecessary complex increase, and I'm not quite sure how that will work with pdm.

Even if I don't like the idea, if you feel strong about it and want to make a PR I'll check it, and if it's not that complex I'm fine with merging it.

Despite if you use it to solve this issue I encourage you to give pipx a try for the rest of your environment setup, it has saved me a lot of time and headaches