Fabric icon indicating copy to clipboard operation
Fabric copied to clipboard

Published 20 hours ago verified publisher icon danielmiessler

Use python poetry for managing dependencies in a deterministic fashion

Open agu3rra opened this issue 1 year ago • 2 comments

I noticed the repo contains a collection of requirements.txt file without pinned dependencies. This translates to every time a "build" (dependencies pull in the case of python) happens, a new set of dependencies will be resolved (time dependent), which could lead to issues reproducing the same exact dev environment on multiple machines.

I suggest using https://python-poetry.org/ to manage dependencies as it is really efficient and makes it clear which dependencies you rely on.

I volunteer to submit a PR if you're up for it. Just let me know @danielmiessler.

Cheers! \o/

PS: I assume you wish to manage the client and server dependencies separately. Please confirm if that's the case.

agu3rra avatar Feb 02 '24 14:02 agu3rra

@agu3rra @danielmiessler can I work on this?

I have experience in setting up poetry from scratch on a codebase

AvikantSrivastava avatar Feb 02 '24 19:02 AvikantSrivastava

This sounds good but it's a bit beyond my Python dependency skills. Can you describe what all changes this would entail?

The prime directive of the project's codebase is simplicity. So if we can do this without adding complexity I'm happy to hear about it.

danielmiessler avatar Feb 03 '24 22:02 danielmiessler

Hello @danielmiessler I've submitted the above PR #32 to show you what it will look like for the client app only. The PR has a screenshot of how the install and CLI command will look like.

I strive for simplicity and good laziness :)

agu3rra avatar Feb 04 '24 11:02 agu3rra

Why not simply pin the versions in requirements.txt?

martin-luecke avatar Feb 05 '24 16:02 martin-luecke

Why not simply pin the versions in requirements.txt?

Unless you manually add all direct and transitive dependencies there, the outcome is not the same. Say you have requests==1.2.3 in there, its underlying transitives (e.g.: idna, urllib3 etc) can resolve to something different every time.

Additionally, requirements.txt doesn't make it obvious which of your deps are direct vs. indirect and can become a nightmare to maintain when applying security patches to your libs as you cannot tell what's code that you directly call vs. indirectly call. Getting to possible upgrade paths is also a pain.

I've listed some of the benefits of poetry in the pr as well. Overall it just makes it easier and less error prone to maintain dependencies.

Dependencies overview in poetry

For this project this is how it partially looks like: Screenshot 2024-02-05 164525

agu3rra avatar Feb 05 '24 19:02 agu3rra

Thank you, we'll check out the PR!

danielmiessler avatar Feb 05 '24 23:02 danielmiessler