tfagerlind / verso

Verso is an application aimed to simplify and standardize automatic versioning in a continuous delivery context.
MIT License
0 stars 0 forks source link

Used versions of dependencies are not pinned #9

Closed kondensatorn closed 1 year ago

kondensatorn commented 1 year ago

Hi Tomas, hope you've had a nice summer!

Verso doesn't want to play nicely anymore.

To recreate problem:

git init test-verso
cd test-verso
python -m venv venv
. ./venv/bin/activate
pip install verso==0.1.1
git add *
git commit -m foo
git tag v0.1.1
verso next-version

This crashes due to a non-compatible version of semver being installed.

This can probably be fixed by pinning versions in install_requires in setup.py, but then various other make targets begin to fail.

Problems I have found so far:

Assuming you will have opinions on the exact solutions to these problems, I gave up on creating a PR, settling for opening an issue instead.

Happy Hacking!

tfagerlind commented 1 year ago

Hello, Christer! Nice to hear from you! Everything is fine! I will have a look at it!

tfagerlind commented 1 year ago

I have a fix for this in the trunk. However I have met issues during release. Pypi requires two-factor authentication, but that is a hard to do when you haven't set it up, and you need to get into the account in order to set it up ... I have contacted pypi in order to get support.

The fix is basically to adhere to the new method introduced in version 3 of the SemVer dendency. I hope that suits you well. I assume most uses of verso would be in a docker container that has control over its dependencies, so backward compatibility with SemVer should not be necessary.

kondensatorn commented 1 year ago

Hi again!

If I understand correctly, with your current setup, the versions you pin in requirements.txt don't matter; as I understand it, they are not actually used when people run pip install. This is why I mentioned setup.py in my initial report.

So if I'm right, this would be a temporary fix, still using the latest and greatest dependencies on pip install, until we get another version that is not backwards compatible.

tfagerlind commented 1 year ago

Yes, requirement.txt only affects the development and testing, not the end user. The fix of significance was to change the calls to in_valid(). Won’t that solve your issue?

As far as I know, pinning dependencies in setup.py is a bad practice since it increases the likelihood of not being able to resolve dependencies if the user have several applications that use the same dependency. I think that the root cause is rather that I haven’t kept the dependencies in my testing pipeline up-to-date and hence haven’t discovered the changes in the semver dependency.

Until I have managed to release a new version, I assume that a work-around for you is to explicitly install the semver dependency with a version below 3.0.0, just before the installation of verso.

kondensatorn commented 1 year ago

I think the bad practice is to pin to exact versions; if you look here, for instance (that is a popular package 😄), it uses ranges for versions in setup.py.

tfagerlind commented 1 year ago

I guess you are right. "requests" have for example required "charset_normalizer" to be less than version 4 even though version 4 is not yet released.

kondensatorn commented 1 year ago

This is presumably to buy them time to adapt to version 4, if and when it arrives.

tfagerlind commented 1 year ago

I have addressed your concern in https://github.com/tfagerlind/verso/commit/8810048707586f4c0a5db456e239a14662b0562f A release is on its way but it is delayed because of the ongoing recovery of my account mentioned earlier in this thread.

tfagerlind commented 1 year ago

A new version has now been released (0.1.2). Apart from various minor changes that only affect development, the package is now compatible, and only compatible, with the latest major of the semver dependency. In order to reduce the likelyhood that a mismatch happens again, I have also put requirements on the majors of each required dependency. Thanks Christer for the error report and the provided advice. Don't hesitate to create a new issue if you encounter more problems. Closing ticket.