Dependency Audit

[danieleades]

We should audit Poetry's dependencies to ensure they are rock solid.

Some of the dependencies could do with a refresh-

Dependency	maintained?/last updated	notes
cachy	7/8/19	some tidying required. No type annotations. Deps out of date
entrypoints	unmaintained	this dep should be replaced with importlib-metadata/importlib.metadata
importlib-metadata	actively maintained	required for python 3.7 only. Should be removed when 3.7 is end-of-life

there may be others worth looking at

[onerandomusername]

Is it possible for poetry to vendor some of its dependencies? I don't think poetry exactly needs 50 dependencies installed, as sometimes those dependencies break

[danieleades]

Is it possible for poetry to vendor some of its dependencies? I don't think poetry exactly needs 50 dependencies installed, as sometimes those dependencies break

i count 39 non-dev transitive dependencies.

I don't think that's necessarily an issue, since they are managed and isolated. I'm more interested in ensuring the foundation packages used by Poetry are solid, then in changing the way those packages are distributed. Are there specific dependencies that you think should be vendored? if so, why?

[Secrus]

@danieleades I agree with you on entrypoints. When it comes to importlib-metadata, it will be kept until we drop python 3.7 and that will be 1yr+ as that's how long will 3.7 be officially supported by PSF.

When it comes to cachy, you can try finding some alternative and prepare PR for migrating it. However, as cachy is made by sdispater, I am quite sure it's tailored for Poetry and it might be hard to find good alternative.

Long story short, PRs are welcome :D

[danieleades]

@danieleades I agree with you on entrypoints. When it comes to importlib-metadata, it will be kept until we drop python 3.7 and that will be 1yr+ as that's how long will 3.7 be officially supported by PSF.

When it comes to cachy, you can try finding some alternative and prepare PR for migrating it. However, as cachy is made by sdispater, I am quite sure it's tailored for Poetry and it might be hard to find good alternative.

Long story short, PRs are welcome :D

I've got a few open PRs to refresh cachy, though I don't know how active the maintenance is. Agree that we can't touch importlib-metadata for a while, listing here for awareness. Had a quick look at removing entrypoint, but it's non-trivial. Hopefully there'll be some time in my future where I can have a proper crack at it, but it won't be in the next few weeks.

[Secrus]

@danieleades I agree with you on entrypoints. When it comes to importlib-metadata, it will be kept until we drop python 3.7 and that will be 1yr+ as that's how long will 3.7 be officially supported by PSF. When it comes to cachy, you can try finding some alternative and prepare PR for migrating it. However, as cachy is made by sdispater, I am quite sure it's tailored for Poetry and it might be hard to find good alternative. Long story short, PRs are welcome :D

I've got a few open PRs to refresh cachy, though I don't know how active the maintenance is. Agree that we can't touch importlib-metadata for a while, listing here for awareness. Had a quick look at removing entrypoint, but it's non-trivial. Hopefully there'll be some time in my future where I can have a proper crack at it, but it won't be in the next few weeks.

Sure. Marked it as "Good first issue", maybe someone will take a look at the entrypoints in the meantime.

[abn]

Regarding, entrypoints, I have a migration to importlib.metadata ready. However, as it stands it's nontrivial to gather entrypoints via importlibs public api when a path to distributions is provided. Once that is solved, will replace entrypoints.

As for cachy, I was thinking we should just pull out relevant bits from cachy (file cache) and pull it into the poetry codebase. This has yet to be discussed. Either we do that, or pull cachy into the poetry org. For the former, a poc PR would be great to start discussions. If anyone is willing.

[Secrus]

entrypoints are now removed in favor of importlib version.

[danieleades]

entrypoints are now removed in favor of importlib version.

nice one!

looking at it now, it seems to be relying on an undocumented feature. the dist attribute of an Entrypoint is undocumented here - https://docs.python.org/3/library/importlib.metadata.html. It also means importlib-metadata can't be deprecated until python > 3.10.

Ideally it would be refactored to only use the documented api, available in import_lib.metadata in python 3.8+. I'm not sure how non-trivial that is. I had a quick look and it wasn't completely obvious.

[chadac]

Threw together a PR testing to see if what replacing cachy could look like. Looking around, I think cachy's footprint can be shrunk by quite a bit as Poetry only uses a small subset of its features.

[neersighted]

Closing this for now as we've addressed all the dependencies here (cachy is now dropped, and we're using newer features of importlib-metadata and thus on a newer version). It would be good to do this again another time, I think, but it would be easier to track in a new issue.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.