Parapred environment

[mzueva]

Support git references in dependencies, add new parapred environment

[gemini-code-assist]

Summary of Changes

Hello @mzueva, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the Python environment builder by introducing support for Git-based package dependencies and providing more granular control over the 'pip download' process. It also integrates a new 'parapred' environment, streamlining the setup for projects requiring this specific configuration.

Highlights

• Git URL Package Name Extraction: The build process can now correctly extract package names from 'git+https' URLs, enabling direct installation of packages from Git repositories.
• Overwrite Existing Files during Download: 'pip download' commands now use '--exists-action w' to ensure that existing package files are overwritten, preventing potential issues with stale or incomplete downloads.
• Configurable '--no-deps' for Packages: A new 'noDeps' configuration option allows specifying packages that should be installed without their transitive dependencies, offering greater control over the dependency graph.
• Introduction of 'parapred' Python Environment: A new Python 3.12.10 environment, 'parapred', has been added, configured to include 'parapred-pytorch' from a Git reference and other specific dependencies.

Changelog

• builder/src/build.ts
  • Enhanced 'getPackageName' to parse package names from 'git+https' URLs.
  • Added '--exists-action w' to 'pip download' arguments for overwriting existing files.
  • Implemented conditional '--no-deps' flag for 'pip download' based on package configuration.
• builder/src/config-merger.ts
  • Introduced 'noDeps' array in package configuration to manage transitive dependency installation.
• catalogue/package.json
  • Registered the new '3.12.10-parapred' environment.
  • Added 'milaboratories.runenv-python-3.12.10-parapred' as a dependency.
• checker/whitelists/python-3.12.10-parapred/macosx-aarch64.json
  • Added a new whitelist file for 'torch' in the 'parapred' environment on macOS AArch64.
• pnpm-lock.yaml
  • Updated the lockfile to reflect the addition of the 'parapred' environment.
• pnpm-workspace.yaml
  • Included 'python-3.12.10-parapred' in the workspace definition.
• python-3.12.10-parapred/config.json
  • Created a new configuration file for the 'parapred' environment, defining its dependencies, including 'parapred-pytorch' from a Git URL, and specifying 'parapred-pytorch' for '--no-deps'.
• python-3.12.10-parapred/package.json
  • Created a new package definition file for the 'parapred' environment, detailing its metadata and build scripts.

Activity

• The pull request was initiated by mzueva with the goal of supporting Git references in dependencies and adding a new 'parapred' environment.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for git references in dependencies, adds a new parapred environment, and includes a --no-deps option for package installation. A critical security vulnerability was identified in the package name extraction logic for git URLs, which could lead to command injection on Windows systems due to insecure command execution. This issue requires immediate sanitization. Additionally, the review focused on improving code efficiency and maintainability in the build script.

[gemini-code-assist]

The glob@10.4.5 package is marked as deprecated and contains known security vulnerabilities. This should be addressed by updating the dependency tree. You can find which package depends on it by running pnpm why glob and then update the responsible parent dependency.

[rfiskov]

noDepsList doesn’t depend on the current package, but it’s being recomputed on every iteration of for (const depSpec of allDeps). It’s better to move its computation outside the loop (similar to how resolution is computed once on line 258).

[mzueva]

Moved outside of loop

[rfiskov]

--no-deps logic is duplicated in three separate branches

The same pattern appears three times. If a fourth download path is added in the future, it's easy to miss. Consider extracting this into buildPipArgs() by passing the package name and the noDeps set, or adding a helper that decorates pip args.

[mzueva]

added to buildPipArgs()

[rfiskov]

--exists-action w is a global behavioral change affecting all environments

This flag tells pip to wipe and re-download when a file already exists in the destination directory. Previously, pip would error or prompt in non-interactive mode, which would surface issues like duplicate/conflicting downloads.

With w, conflicts are silently resolved by overwriting. Applying it globally could mask legitimate issues in other environments. Consider either:

• Adding a comment explaining why this is needed globally
• Making it conditional (only for git URL deps)

[mzueva]

made conditional

[rfiskov]

The allowSourceList entry here is easy to miss but actually critical — without it git deps just silently don't get installed.

What happens: pip tries to fetch a binary wheel for git+https://... → obviously fails → checks allowSourceList → package not there → skips it. And since strictMissing is false in shared config, there's no error — it just moves on like nothing
happened.

Feels like a trap for the next person who adds a git dependency. They won't know they need to also add it to allowSourceList until they debug why the package is missing at runtime. Maybe worth adding a check in the builder: if a dep starts with
git+ and isn't covered by allowSourceList or forceSource, fail early with a clear message?

[mzueva]

added check

[rfiskov]

What about linux* ?

[mzueva]

added

[rfiskov]

nit: Please extract the validation logic into a separate function.

[mzueva]

done