-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New python manager for PEP621 #10187
Comments
Hi there, Help us by making a minimal reproduction repository. Before we can start work on your issue we first need to know exactly what's causing the current behavior. A minimal reproduction helps us with this. To get started, please read our guide on creating a minimal reproduction to understand what is needed. We may close the issue if you (or someone else) have not provided a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment. Good luck, The Renovate team |
New package manager questionnaireDid you read our documentation on adding a package manager?
BasicsName of package managerWhat language does this support?Python How popular is this package manager?Relatively new but gaining popularity among the popular python build tools. PEP621 has already been implemented by flit, pdm, trampolim, whey, enscons. PEP621 is also planned for inclusion in setuptools and is under consideration for poetry as well. Does this language have other (competing?) package managers?
PEP621 is not a "package manager" itself, but a common format for defining static metadata that other python build tools/package managers can consume. Package File DetectionWhat type of package files and names does it use?
What fileMatch pattern(s) should be used?This would be similar to the existing Is it likely that many users would need to extend this pattern for custom file names?
Is the fileMatch pattern likely to get many "false hits" for files that have nothing to do with package management?No. There is only one file, Parsing and ExtractionCan package files have "local" links to each other that need to be resolved?No, there is only a single Is there a reason why package files need to be parsed together (in serial) instead of independently?What format/syntax is the package file in?
How do you suggest parsing the file?
Does the package file structure distinguish between different "types" of dependencies? e.g. production dependencies, dev dependencies, etc?
List all the sources/syntaxes of dependencies that can be extractedhttps://www.python.org/dev/peps/pep-0621/#dependencies-optional-dependencies Describe which types of dependencies above are supported and which will be implemented in futureVersioningWhat versioning scheme does the package file(s) use?Dependencies are specified according to PEP-508, which itself says that dependency versions are specified according to PEP440. Does this versioning scheme support range constraints, e.g.
|
@wwuck Thank you for using the issue template, and filling out the questionnaire! 😄 |
@rarkins It seems we still need a minimal reproduction repository? What do you need to proceed? |
Yes a repo or more with example use cases would help. Also, once different tools implement lock files then we may need to rethink how to handle it. |
Here's some repositories with PEP 621 style dependency declarations: Notice that all of these declarations are "abstract" (i.e. not exact versions/artifacts, but rather a description of what version ranges are compatible) and not "concrete" (like a lock file that pins all artifacts and hashes would be). |
This is purely because Renovate currently does not support `pyproject.toml` as a Python dependency manager: renovatebot/renovate#10187
Adding a +1 to this request, as I just discovered
|
Handling PEP 621 may actually be a bit complex to handle. PEP 621 (and by extension, PEP 631) defines the structure for declaring dependencies, which is convenient since projects implementing the specification share a common structure. But I believe that from a Renovate perspective, this would not really be a manager per se, but rather a common reusable structure and logic to parse, which itself is used by different managers (for instance, for libraries following PEP 621: PDM, setuptools, flit, hatch, ...). Despite following the same structure for specifying dependencies, tools implementing PEP 621 still have their own lock mechanism (some also don't handle locking) for the lock file (both for the format and the name), since this is not covered by a PEP. Also, since Renovate would need to run commands from the different libraries, which will most likely differ, there definitely needs to be a differentiation between the different tools. So depending on the tool used by projects, Renovate would need a hint on the tool that was used. Something naive may be to look for a specific lock file name (since the tools will most likely have their own file name, which have a great chance of being unique). In the future, if there's ever an accepted common format for the lock file (there was PEP 665, but it has been rejected), this may become unreliable, though, but maybe this is looking too much into what the future may become. |
[PEP 621](https://peps.python.org/pep-0621) provides a standardised way for storing project metadata including dependencies declaratively in pyproject.toml, instead of setup.py which is very dynamic. PEP 621 is now [supported by setuptools](https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html). This PR uses project settings in pyproject.toml to configure setuptools to build the sdist and wheel. The built distribution is the same, except the PKG-INFO now includes classifies, keywords, and the full text of the license. NB: pyproject.toml dependencies are not yet supported by renovatebot (see [#10187](renovatebot/renovate#10187)) or dependabot (see [#3290](dependabot/dependabot-core#3290))
I think you’re almost spot on, except for the “unreliable” part, as the future could look like this:
I don’t see how this could become unreliable or otherwise prevent action right now. |
Please keep in mind that libraries do not need lock files and will only ever use |
I don't think this is accurate at all. Lock files typically speed up the installation process drastically, which means they're a good idea to commit in all places. It also ensures you're using the exact same version for testing things in all environments. Libraries still have plenty of dev dependencies, and when a team is working on that one library, it's important that everyone is using the same version of those dev dependencies. |
Generally, I think it's irresponsible to use lock files for libraries rather than pulling latest to catch incompatibilities before end users do.
Dependency resolution pales in comparison to the downloading and unpacking of artifacts, unless that is in fact necessary for dependency resolution as is the case for Python source distributions when no wheels are available. Though this is not very applicable to libraries as there won't be potentially hundreds or thousands of dependencies like applications may have.
Those can just be pinned since most libraries do the approach I described and will catch issues with the latest versions of their transitive dependencies before you do 😉 |
puts on the hat of "I am one of the authors of pip's dependency resolver" @ofek is correct IMO - if libraries shipped lock files to their end users, that would be inappropriate and would be equivalent to overly aggressive pinning. There might be a case to be made for development workflows but as @ofek noted, you typically want to get the latest versions to catch issues before end-users see them. Or, at least, end users who are consuming it via a lock file and being judicious about when/how they update things.
I don't know much about renovate's semantics/specifics but I'll note that pip-tools already supports this workflow. |
This simply isn’t true. Lock files are not used by dependent software. The contents of a library’s lock file has no bearing on anything outside of that project itself. |
Hi! As a user of PDM for some projects, I'm wondering whether anyone is working on implementing this for renovate (as described in #10187 (comment)). What would be needed to make this happen? |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Please don't post me too comments, they are too noisy. We'll delete them in future. To get this happen somebody from the community needs to send a PR with an implementation. it also needs a reproduction as the label states. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
setuptools will stop working with this and we're not able to switch to pyproject.toml until renovatebot/renovate#10187
🎉 This issue has been resolved in version 35.83.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Thanks to Vector Informatik GmbH for sponsoring this feature! |
What would you like Renovate to be able to do?
Renovate has existing managers for various python sources. The python community has recently accepted PEP621 as a standard format for providing python package metadata in a
pyproject.toml
file so that multiple packaging-related tools can consume this data from one location instead of various tool-specific configurations. This metadata includes dependencies/optional-dependencies.I would like to request that Renovate gains a new manager for PEP621/pyproject.toml to maintain and keep updated the
dependencies
andoptional_dependencies
fields.The text was updated successfully, but these errors were encountered: