-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider vendoring legacy_api_wrap #1301
Comments
I generally agree that those issues exist (to varying degrees)¹ …
… but those reasons don’t apply to this specific library:
I think there are use cases for vendoring, but I’ve been bitten by it more often than I’ve seen it pay out. I haven’t dealt with git submodules in a while, but unless things changed, they also add complexity and make things harder (not only for newbies). So unless there’s an especially good case for vendoring², I’m against doing it, and if there is, I don’t know if git submodules are the way to go. ¹ Except for “people pinning it”: If we need a new feature of a dependency, we bump the minimum version we depend on and people pinning things might need to use an older anndata. That’s why we’re careful about doing that |
Conda has a policy against vendoring, so let’s not do that.
|
How do they handle scipy? Or versioneer? |
This issue has been automatically marked as stale because it has not had recent activity. |
I think we should be very conservative with dependencies for anndata. Ideally it's a very small set.
Each dependency brings possible dependency resolution issues (e.g. people pinning it) and supply chain vulnerabilities.
I think we can get around this (especially for small dependencies) by just vendoring the code (similar to approaches taken by larger packages like scipy/ numpy).
I would suggest that we use a submodule to specifically vendor
legacy_api_wrap
.cc: @flying-sheep
The text was updated successfully, but these errors were encountered: