search

department-of-veterans-affairs / notification-api

Notification API
MIT License
16 stars 8 forks source link

Spike: Dependency Management - PDM #912

Closed k-macmillan closed 1 year ago

k-macmillan commented 1 year ago

Goal

The goal of this task is to test PDM as a dependency manager and identify how it addresses the tests below. Gather notes about ease of setup and how well the package is documented, in addition to testing the items listed below.

Update the doc with your findings.

Tech Stack-Specific

The following are related to our specific tech stack.

Flask Import Error Test


Required: fido2 < 1.0.0
Installed: 0.9.3

Flask raises ImportError with higher versions.  I expect that newer versions of Flask fix this or don't require Fido.

Celery Dependencies


Required: kombu < 5.0
Installed: 4.6.11

Celery depends on this package, and the Docker image build failed with the newest version.  Ignoring security vulnerability 42497 in Makefile.  The vulnerability is fixed in kombu>=5.2.1.

Security Vulnerability Check

How does each handle security vulnerabilities?


Required: click-datetime>=0.2
Installed: 0.2 (newest version)

This package requires click, which has a security vulnerability 47833 ignored in Makefile.  The vulnerability is fixed in click>=8.0.

Installed: click v7.1.2

Updating Pinned Versions

What, if anything does it do with pinned versions? If a pin is removed how does it handle it?


Required:
Flask < 2.0
Flask-Bcrypt==0.7.1
Flask-Cors==3.0.10
Flask-JWT-Extended==4.1.0
flask-marshmallow==0.11.0
Flask-Migrate==2.5.2

Installed Flask: 1.1.4

Newer versions of Flask cause errors, and all of the Flask-* packages are pinned to accommodate this.

Specific Version Commit Test

Specific commit test. How does it handle it?


Required and installed: git+https://github.com/mitsuhiko/flask-sqlalchemy.git@500e732dd1b975a56ab06a46bd1a20a21e682262#egg=Flask-SQLAlchemy==2.3.2.dev20190108

Requiring Flask-SQLAlchemy version 2.3.2, 2.5, or 3.0 causes test failures via database errors about foreign key constraint violations.

Specific Version Tag Test


Required: PyPDF2 < 2.0.0
Installed: 1.28.6

Required and installed: git+https://github.com/department-of-veterans-affairs/notification-utils.git@1.0.67#egg=notification-utils==1.0.67

Flask raises ImportError with newer versions of PyPDF2.  notification-utils version 1.0.66 also raises import errors with newer versions, but that package can be updated to version 1.1.0 if we upgrade Flask.

Timebox

3 days

mjones-oddball commented 1 year ago

Hey team! Please add your planning poker estimate with Zenhub @cris-oddball @EvanParish @ianperera @jakehova @k-macmillan @kalbfled @trevor2718

mjones-oddball commented 1 year ago

Reassigned to Lucas due to availability and knowledge. Aiming to discuss dependency learnings/options this Friday at the engineering sync.

ldraney commented 1 year ago

Please see the updated doc. I have a strong distate for pipenv due to its being managed by pip. For me, Poetry is the obvious winner. I will now be diving deep into PDM to see how it compares to poetry. My axiom for choosing a dependency manager is developer autonomy.