search

department-of-veterans-affairs / notification-api

Notification API
MIT License
16 stars 8 forks source link

Spike: Dependency Management - Poetry #913

Closed k-macmillan closed 1 year ago

k-macmillan commented 1 year ago

Goal

The goal of this task is to test Poetry as a dependency manager and identify how it addresses the tests below. Gather notes about ease of setup and how well the package is documented, in addition to testing the items listed below.

Update the doc with your findings.

Tech Stack-Specific

The following are related to our specific tech stack.

Flask Import Error Test


Required: fido2 < 1.0.0
Installed: 0.9.3

Flask raises ImportError with higher versions.  I expect that newer versions of Flask fix this or don't require Fido.

Celery Dependencies


Required: kombu < 5.0
Installed: 4.6.11

Celery depends on this package, and the Docker image build failed with the newest version.  Ignoring security vulnerability 42497 in Makefile.  The vulnerability is fixed in kombu>=5.2.1.

Security Vulnerability Check

How does each handle security vulnerabilities?


Required: click-datetime>=0.2
Installed: 0.2 (newest version)

This package requires click, which has a security vulnerability 47833 ignored in Makefile.  The vulnerability is fixed in click>=8.0.

Installed: click v7.1.2

Updating Pinned Versions

What, if anything does it do with pinned versions? If a pin is removed how does it handle it?


Required:
Flask < 2.0
Flask-Bcrypt==0.7.1
Flask-Cors==3.0.10
Flask-JWT-Extended==4.1.0
flask-marshmallow==0.11.0
Flask-Migrate==2.5.2

Installed Flask: 1.1.4

Newer versions of Flask cause errors, and all of the Flask-* packages are pinned to accommodate this.

Specific Version Commit Test

Specific commit test. How does it handle it?


Required and installed: git+https://github.com/mitsuhiko/flask-sqlalchemy.git@500e732dd1b975a56ab06a46bd1a20a21e682262#egg=Flask-SQLAlchemy==2.3.2.dev20190108

Requiring Flask-SQLAlchemy version 2.3.2, 2.5, or 3.0 causes test failures via database errors about foreign key constraint violations.

Specific Version Tag Test


Required: PyPDF2 < 2.0.0
Installed: 1.28.6

Required and installed: git+https://github.com/department-of-veterans-affairs/notification-utils.git@1.0.67#egg=notification-utils==1.0.67

Flask raises ImportError with newer versions of PyPDF2.  notification-utils version 1.0.66 also raises import errors with newer versions, but that package can be updated to version 1.1.0 if we upgrade Flask.

Timebox

3 days

mjones-oddball commented 1 year ago

Hey team! Please add your planning poker estimate with Zenhub @cris-oddball @EvanParish @ianperera @jakehova @k-macmillan @kalbfled @trevor2718

ldraney commented 1 year ago

I just completed this ticket, and updated the documentation here.

I may not have understood the Specific Version Tag Test and Security Vulnerable check tests. My first impression was to check if poetry was capable of something specific in each case, which I did. But you seem to want me to reproduce these errors using poetry, is that right?

I can do that, but these seem outside the scope of tools and are more general to dependency management in itself. @k-macmillan

ldraney commented 1 year ago

updated the relevant documentation; though it may not be exactly what the tests desired, we have sufficient knowledge to know poetry is an excellent choice as a dependency manager, with the axiom being optimizing developer autonomy.