-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bump dependencies #22
Comments
An easier strategy to consider, since we only want to parse the requirements, might be to run Also might look at pipreqs for some useful thoughts. Though it looks like it mainly scans for imports. Still could be handy for detecting a |
How do we decide between run and build requirements? |
They are run dependencies. It doesn't export build dependencies (e.g. More generally we have discouraged anyone from adding stuff to build beyond IOW if someone actually has a build dependency, it is reasonable to assume that they are linking to it or maybe it's some other build tool. Alternatively it could be an old recipe not following best practices. IMHO it is fair to say we don't touch build dependencies. It's also probably best as the maintainer may have pinned the build requirements due to to build issues that would not be obvious from inspecting the source (e.g. breaks on some version of Sound reasonable? Other thoughts/concerns? |
That sounds reasonable to me. I have seen a few PRs with massive build requirements (as python packages) but those usually end up being not needed. I usually default to the "bot make reasonable decision which is non-aggressive and maintainers/reviewers can be more aggressive", so having the bot default to the recipe for build requirements goes well with that sentiment. |
Sure. Along those lines it would be reasonable to parse out optional dependencies that maintainers already harden and refresh those dependencies. Am hopeful this ends up being mostly straightforward. |
Would it be possible to add a note to the PRs reminding maintainers to check dependencies themselves? After talking to a few maintainers, I don't think they are aware the bot isn't doing this for them. |
Linking issue ( pypi/warehouse#474 ) as this would provide an API for querying dependencies from Warehouse. |
@jakirkham @CJ-Wright Here are some thoughts about handling dependencies for R packages.
If you're interested in obtaining the dependencies of many packages (e.g. to build a dependency graph), one option would be to call Hopefully some of that was useful. Please let me know if you have specific questions. |
This might be more doable now with Python 3.8's |
cc @beckermr (as you asked about this in the core meeting earlier 😉) |
Thank you! |
Yeah was about to say. I don't think this is a blocker for the auto-merge, but it is highly desirable functionality. 😉 For things like C/C++ this mostly falls out of |
Should add there is some other work along these lines. So hopefully the bot can just leverage this once it's ready. Please feel free to add more and/or correct me as needed 🙂 |
I hope to speed up the development from my side to also support it, it is one of my goals to have it to the "new skeleton". |
@medb what do you mean? This issue is about keeping requirements stated in the |
One option would be to use Grayskull ( #1471 ) |
Looks like PEP 658 is now deployed on PyPI! 🎉 Maybe this is another option for pulling this metadata? |
@CJ-Wright commented on Wed Feb 28 2018
It would be good to have a way to bump dependencies along with the versions.
See: https://github.com/conda/conda-build/blob/master/conda_build/skeletons/pypi.py#L869
@isuruf
@sodre
The text was updated successfully, but these errors were encountered: