Open chrabyrd opened 3 months ago
aj-he
commented
3 months ago @chrabyrd this would be great. We've had a number of occasions when we've scheduled a release that breaks because overnight a dependency releases something that then breaks deployment pipeline (datatables!).
EDIT: actually, this tends to happen more with pypi packages than front end so could this be extended to pip installs too?
jacobtylerwalls
commented
3 months ago EDIT: actually, this tends to happen more with pypi packages than front end so could this be extended to pip installs too?
@aj-he Most python dep's are pinned exactly, looks like only a handful aren't. The Django pin is loosened only for security updates on the assumption those are always stable and to not require fast new patch releases of arches. Do you recall what gave you trouble before?
jacobtylerwalls
commented
3 months ago Re: python deps, just noticed today that setuptools advises against exact pins (for libraries, like arches--projects being another matter):
https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html#dynamic-metadata
This ticket is meant to start a discussion:
I believe we should exact-pin our frontend dependencies. I believe the stability and reduced chance for application drift is worth the additional overhead of needing to manually update dependencies on a set schedule ( say, every minor+ release ? )