Drop lockfile as direct dependency #7310
Conversation
|
What's the motivation? What I mean is: given that cachecontrol is pulling in the If and when cachecontrol ever (re)releases the version that includes my MR to drop |
|
Ok, I was wrong. Honestly, I just didn't like us having another top-level dependency when one wasn't really necessary. I am aware this doesn't remove |
|
I think this is good. I need to finish my draft of the writeup for the issue that caused 1.3.1 -- but in short, we can't reliably depend on cachecontrol to pull in lockfile, but it's silly just to pull it in to inherit from the class, when it's so minimal. In short: not every index supports yanked packages and I'd like to see this in the codebase so we are indifferent to the presence of |
|
To my mind, simply removing a top-level dependency isn't achieving anything very useful.. And given that for the moment Still I suppose it's not worth fighting over a small amount of noise. Edit: not entirely sure what your comment about yanked packages relates to, but if it is to do with the yanking of cachecontrol 0.12.12: suggest that a cleaner fix to make that secure would be for poetry to depend on 0.12.11 explicitly (or explicitly exclude 0.12.12, whatever) |
|
On reflection I think I ought to be firmer in saying what I think about this: which is that it seems pointless and that I am against it. Of course y'all are welcome to do what you think is right regardless: but it seems silly to have an opinion and not to say so. |
|
Superseded by #7997 |
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Pull Request Check List
Direct dependency on
lockfilewasn't really necessary, I have brought all the necessary code into one class building upon what was done in #6471