Skip to content

Relax version specification for dependencies following semver #683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nejch opened this issue Mar 11, 2023 · 5 comments · Fixed by #684
Closed

Relax version specification for dependencies following semver #683

nejch opened this issue Mar 11, 2023 · 5 comments · Fixed by #684
Labels
type: feature A new enhacement proposal

Comments

@nejch
Copy link

nejch commented Mar 11, 2023

Description

Currently quite a few prod dependencies are defined in very strict ranges, even though commitizen is likely to be installed more as a library along with other dependencies rather than a single application. See:

commitizen/pyproject.toml

Lines 60 to 73 in fb0d1eb

questionary = "^1.4.0"
decli = "^0.5.2"
colorama = "^0.4.1"
termcolor = [
{ "version" = "^1.1", python = "< 3.7" },
{ "version" = ">= 1.1, < 3", python = ">= 3.7" },
]
packaging = ">=19"
tomlkit = ">=0.5.3,<1.0.0"
jinja2 = ">=2.10.3"
pyyaml = ">=3.08"
argcomplete = ">=1.12.1,<2.2"
typing-extensions = "^4.0.1"
charset-normalizer = ">=2.1.0,<3.1"

Partially I would blame poetry's default behavior for adding dependencies, which is more restrictive than you'd really want for libraries IMO. So I'd personally use PEP-440 specifiers here rather than poetry's custom caret versioning.

For dependencies that reliably follow semver, I think it's not an issue to at least allow the current major version, or even open it up completely and restrict versions only when there are issues, which is more common in python IMO (this is not npm so we cannot have multiple versions of transitive dependencies at the same time.. so we kind of have to be a bit more broad with ranges to make life easier).

/cc @jakob-keller

Possible Solution

Check the current production dependencies and see if they follow semantic versioning. If they do, assume good intentions and lock only major versions for those ;)

Additional context

No response

Additional context

#680
@nejch nejch added the type: feature A new enhacement proposal label Mar 11, 2023
@nejch nejch mentioned this issue Mar 11, 2023
Merged
4 tasks
@woile
Copy link
Member

woile commented Mar 11, 2023

I'm open to the suggestion, I think it's a good idea.

@jakob-keller
Copy link
Contributor

I'll prepare a PR this weekend

@nejch
Copy link
Author

nejch commented Mar 11, 2023

Awesome! I see that termcolor (for py3.7+), packaging, jinja2, pyyaml are already open for higher versions. Perhaps this can be the case for all of them, unless testing runs into issues (so maybe pin them with a lockfile for testing only, and maintain it with dependabot/renovate, but not lock the versions for dependent users).

Also, typing-extensions could probably be limited to specific python versions (depending on what's needed, might even be 3.7 only, I haven't looked at the code).

I also see that charset-normalizer was maybe not intentionally pinned to a specific minor version but for the same reason as already discussed (309a409).

Thanks again for the quick responses 🙇

@jakob-keller jakob-keller mentioned this issue Mar 11, 2023
Merged
4 tasks
@jakob-keller
Copy link
Contributor

I just created a draft PR. Feel free to continue the discussion over at #684

@jakob-keller
Copy link
Contributor

I just created a draft PR. Feel free to continue the discussion over at #684

The minimal PR is ready, IMO.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: feature A new enhacement proposal
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Relax runtime dependency specifications
3 participants
@woile @nejch @jakob-keller