ion icon indicating copy to clipboard operation
ion copied to clipboard

Published 20 hours ago verified publisher icon tjcsl

Switch to `uv` for package management

Open JasonGrace2282 opened this issue 1 year ago • 0 comments
trafficstars

[!WARNING] This PR is not yet ready to be merged. I mainly created this as an experiment, a lot of the reviewing the updates of dependencies hasn't happened yet.

Proposed changes

  • Use uv over hand-locked requirements.txt
  • Bump (semvar compliant) packages

This PR does NOT attempt to do a python upgrade or django upgrade, but rather bump the minor/patch versions of most packages used.

TODO

  • [x] Convert docker setup to uv
  • [ ] Pin non-semvar/NEP29 compliant packages
  • [ ] Review for breaking changes from the lockfile

Brief description of rationale

Let me just prefix this by saying I did this because bumping dependencies for Django and it's related packages is annoying to do by hand.

The Problem

Hand-locking a requirements.txt is painful, and annoying when trying to upgrade dependencies due to resolving dependency version conflicts between packages. Just using version specifiers (>=, <, etc.) fixes this problem, but introduces the possibility of using difference packages during development vs during deployment. This is what build frontends (such as uv, pipenv, and/or poetry (not to be confused with the poetry build backend)) aim to fix. They allow using version specifiers, and create a lock file with pinned versions of each dependency (including transitive ones)!

Why uv?

The problem with tools like poetry and pipenv is that creating this lock file, or installing from the lock file is annoyingly slow. uv is written in rust, and is much more snappy at resolving dependency matches, installs packages/wheels faster, and gives better error messages when a dependency conflict arises.

Another huge benefit of uv is that production scripts don't need to upgraded (much). uv can convert a uv.lock into a requirements.txt automatically (including pinned transitive dependencies, which are dependencies of dependencies):

pip install -U uv
uv export --no-dev -o requirements.txt
uv pip install --system -r requirements.txt

[!NOTE] The produced requirements.txt is platform dependent, and as such is not checked into git

JasonGrace2282 avatar Sep 16 '24 22:09 JasonGrace2282