New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an option to install the oldest supported versions of dependencies #906
Comments
If you are a project author and add I understand your intentions behind this feature request, but this is not realistic because there is no way to know the minimum required version unless you explicitly give it. |
Oh I might misread the feature request, there is another request to resolve the version to the minimum required. This part can be realized though. So:
Think of it more, what should happen if run |
Yes, pretty much this. As far as I understand currently the resolver tries to find a solution with the newest possible versions, I would like an option where it would try to find the oldest possible versions, given the constraints in the |
FYI |
Yes, that's true, but it would be counter-intuitive to have this as an option of |
I thought of this feature again and found that it may produce broken lock files. Say you add a dependency without a lower bound like |
Perhaps some safety checks can be implemented? E.g. only minimize versions for the packages with explicit lower bounds, and only use those versions with explicit Python bounds. After all, it is only supposed to be used for testing purposes. |
Yes, you would say you clearly know what you are doing and will remember to set lower bounds every time. But what if it comes to sub-dependencies? You don't know what sub-dependency is missing a lower bound then a broken and legacy version will be pinned. |
Or do you know other package managers that do the same so I can learn from it? |
Well, wouldn't that achieve the goal, which is to see if given bounds can produce a bad lock file? Edit: or, rather, allow the package to be installed on a system with already installed packages satisfying the bounds, but making your package non-operational. Also, perhaps, this feature does not need to minimize sub-dependencies? We're only interested in explicit first-level dependencies, the ones we actually use. We want to see if even they're at their lower bound our package still works; but what they install as sub-dependencies is their business.
No, unfortunately I don't. |
Well, I will leave this for discussion until enough people show their interest in this feature(by voting). |
The real solution would ask for something that works like But this is something interesting. Not something that should be implemented in pdm nor the res resolution library we will replace pip with. But definitely a use case it could enable in a plugin. |
As an example of this functionality, Rust's
and there's a corresponding plugin |
I think the situation Rust is facing is much better than the Python community. It enforces relatively strict rules on the package versions. |
I wouldn't say it's enforced, but for whatever reason semver is much more popular in Rust ecosystem. And, of course, the dependencies not living in a flat namespace also helps. But that doesn't mean that such resolution method won't be useful in Python. |
I notice more sloppiness regarding dependency management in the Python ecosystem compared with Java and Nodejs. That said, I do realise that you want to keep the barrier low in tutorials and at the same time keep them stable over time. Disclaimer: I am the author of pyprojectx. |
While I can see the benefits of using this tool, I am not sure what does it have to do with this issue. You cannot force a lockfile on the users of a library because they will have their own lockfiles. That's why it is important to ensure your minimum bounds are actually valid. |
Please go to #2033 for further discussion on this issue. |
xref: completed in #2327 |
Imagine you're adding a
requests
dependency to your projects, as it's done in the tutorial. Currently this will result in"requests>=2.27.1"
in the dependency list. This is most probably an overkill: it's quite likely your library will work just as well withrequests
at 2.20 or 2.10, or maybe even just 2.0, in which case you'd want to set that as a limit to reduce the possibility of conflicts for the users of your library. But if you set"requests>=2.0"
,2.27.1
will still be installed oninstall
(unless there are some limitations from other dependencies). For the testing purposes, it would be great to be able to resolve the dependencies as close to the minimally allowed versions as possible (I understand that it may not be possible to set all dependencies exactly at the minimum versions, so some kind of distance measure will have to be introduced). This way you could run that on CI and be sure that all your bounds actually make sense.Another use case is when you start using a new feature of some dependency, but forget to bump the bound. Everything works on your end, but then a user with that dependency at a lower (but still allowed) version gets an error because the feature is missing.
The text was updated successfully, but these errors were encountered: