-
-
Notifications
You must be signed in to change notification settings - Fork 611
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exclude packages required only by unsafe packages #441
Conversation
Mark the merged PRs of pip-tools in Change Log more clearly so that it is easier to keep track which fixes/features are already in. This includes following 7 PRs: * jazzband#355 * jazzband#378 * jazzband#389 * jazzband#417 * jazzband#441 * jazzband#448 * jazzband#450
@jdufresne This is an important fix for many people. Could you please fix the travis build? |
Sure, I can revisit this. It occurred to me that this needs to happen recursively. For example, packages included by packages included by setuptools should also not be included in the requirements. Until that is fixed, this is not ready for merge. I'll take a look at that problem once resolving the merge conflict and Travis build. |
@jdufresne I am really not convinced that this needs to happen at output time. I think the analysis should take place at resllolve time. What is your take on this? |
@davidovich Yeah, that makes sense. Somewhere in |
The updated PR is ready for review. I have:
Just a thought, is there a good use case for |
@jdufresne could you add a test to show that appdirs, packaging, etc is not added to the compiled requirements due to being unsafe? |
@davidovich I have updated the test fixture to include appdirs and packaging as dependencies of setuptools. In Let me if you had something else in mind. If so, could you provide a bit of guidance as to what the test might look like? I'd be happy to write additional tests, just want to make sure I'm adding what you're looking for. |
Yes that is what I had in mind. I will try to merge tomorrow, or next Monday. |
… use Recent versions of setuptools have dependencies: https://github.com/pypa/setuptools/blob/6d89f362c9657e12fe2500c061e77747305b76e4/setup.py#L165-L168 As setuptools is considered unsafe and excluded by default, its dependencies should also be excluded. Fixes #445
Thanks @jdufresne ! |
Recent versions of setuptools have dependencies:
https://github.com/pypa/setuptools/blob/6d89f362c9657e12fe2500c061e77747305b76e4/setup.py#L165-L168
If a package requires setuptools, it is commented out in the compiled
requirements.txt. As setuptools isn't included, its dependencies should also
not be included.
Should fix #445