search

ClimateImpactLab / cookiecutter-pypackage

Cookiecutter template for a Python package.
1 stars 0 forks source link

Drop pinned requirements and odd packages #222

Open brews opened 4 years ago

brews commented 4 years ago

The pinned requirements are so tots out of date (and have security issues).

The requirements files also lists heavy packages that the user may not actually need (e.g. pandas). These should be gutted.

brews commented 4 years ago

Note that pytest-runner has some security issues: https://pypi.org/project/pytest-runner/

Also have a pinned version of pyyaml with security issues, should unpin this.

Also bumpversion has been deprecated and I've also been having some trouble with its community-supported fork bump2version.

delgadom commented 4 years ago

yeah these all seem problematic. do you know of any good

delgadom commented 4 years ago

oops. I meant to abandon comment not close... lol

brews commented 4 years ago

Brainstorming, @delgadom :

I think we could just gut pytest-runner all together. Does pyaml need to be pinned?

Generally, I think of heavy pinning as something for applications, if anything, as opposed to libraries. With libraries we only need to soft pin something that's essential and easily broken. So, an open range like python>=3.7, for example, if we really need a feature like dataclass that isn't available in earlier versions.

Do we really need hard pins in cookiecutters?

What are your thoughts on this, @delgadom?

My hope is that removing the pins and some of the extra packages/features that are a flourish will make this easier to maintain in the long run. Keep it to simple essentials and fewer things will break...(hopefully?) If users need more features/tools then maybe we can point them to opinionated, internal Paper docs that explain how to set things up (e.g. conda package building, automated docker builds in CI, etc). Simpler cookiecutters would also make it packaging less intimidating for new learnings... (again just brainstorming).

delgadom commented 4 years ago

this seems super reasonable. I'm not sure what your suggestion is on pytest-runner... isn't it core to the testing setup?

brews commented 4 years ago

@delgadom You (or our humble user), or CI just runs pytest (with or without some args) on the repository or pytest on the installed package and everything still runs just fine.

Maybe I've been doing it wrong or am completely blind to something? Did you have something specific in mind?