search

juftin / hatch-pip-compile

hatch plugin to use pip-compile (or uv) to manage project dependencies and lockfiles
http://juftin.com/hatch-pip-compile/
MIT License
76 stars 3 forks source link

Significance of Python version for resolved dependencies #5

Closed oprypin closed 11 months ago

oprypin commented 11 months ago

Hi!

pip-compile resolves dependencies for a particular Python version, and it is important because projects can define dependencies like this:

importlib-metadata >=4.3; python_version < '3.10'

To represent this, it includes a comment, which at least makes it clear, but nothing is done with it as far as I know:

# This file is autogenerated by pip-compile with Python 3.11

and in that file for the above example importlib-metadata isn't even mentioned anywhere! So it will just not work if someone tries to use this lock file with Python 3.9.

As such, I think this plugin could be improved as follows, especially because Hatch gives it direct information about the intended Python version:

  1. Include the Python version into the header (currently it is stripped)

  2. Perhaps warn users when an environment is invoked that the lock file might be intended for a different Python version than is currently used?

  3. Anything else? Like managing separate lock files in case there is a matrix with multiple Python versions?

juftin commented 11 months ago

Oh, I like this idea. Here's what I'm thinking for an error message and updated header - open to any feedback though

####################################################################################
# 🔒 hatch-pip-compile 🔒
# Generated with Python 3.9.4
#
# - hatch
#
####################################################################################
...
Python version mismatch detected
    Lock File: requirements.txt
    Lock Version: 3.9.4
    Hatch Environment (default): 3.11.4
Dependencies will be attempted to be synced, but may fail
Lock file will not be updated - delete the lock file to regenerate

This message only applies when an existing lock file is detected. Only Python major and minor versions are considered when comparing.

oprypin commented 11 months ago

Good stuff!

My suggestion:

-Generated with Python 3.9.4
+Generated with Python 3.9

Motivation: This will cause a diff way too often and doesn't help - patch version never affects anything.

-Dependencies will be attempted to be synced, but may fail
+Dependencies will still be installed, but they may be incorrect for this Python version

Motivation: for the particular example I showed, the dependencies will actually install fine, just that at run time it will fail to import because it's missing. I think this will be the much more typical scenario, though failure to sync might also be a possible outcome, I'm not sure.

Additionally: While we are here, could I ask to avoid the lock emoji 🥺 It'll be the only character always bringing the file out of ASCII range - and who knows which tool may somehow not like that.

oprypin commented 11 months ago

Ah and I forgot to add-- maybe adding too many big warnings is not the most pragmatic solution. If one contributor updates their Python but another one doesn't, and can't do so easily, the warning can be too annoying. And maybe the lock files will work across versions in most cases anyway so people will just be angry at the warning 😕

Anyway - maybe the warning should be really short and/or dismissable somehow

juftin commented 11 months ago

Closing this as #9 was merged via #11. Let me know if you have any other concerns and we can re-open