conda-lock icon indicating copy to clipboard operation
conda-lock copied to clipboard
verified publisher icon conda

Dependency cleanup

Open ctcjab opened this issue 7 months ago • 1 comments

Checklist

  • [x] I added a descriptive title
  • [x] I searched open reports and couldn't find a duplicate

What happened?

pyproject.toml declares runtime dependencies on packages that are usually not runtime dependencies (e.g. packages you import from or shell out at runtime to executables they provide), which bloats and complicates the dependency graph and environment for consumers. (For example, build and virtualenv.) Typically these are instead more suitably declared as build or dev dependencies. Are all the runtime dependencies declared in pyproject.toml actually runtime dependencies? Note this affects the downstream conda package as well, whose meta.yaml has the same issue.

Additional Context

No response

ctcjab avatar May 02 '25 23:05 ctcjab

Thanks for raising this issue! I'm glad to dump my current thoughts on this.

@ctcjab, are you running into any particular conflicts? If so, that would be good to know, and we can tackle those individually. But for now I'll focus on the general situation.

The current reason for this situation is as follows:

https://github.com/conda/conda-lock/blob/21ae67a37085321db82c2066f7e471a469d1f41d/pyproject.toml#L59-L74

Poetry's attitude towards dependencies has been a pain point. They are firmly in the camp of "we are an application, not a library" and unfortunately since we vendor Poetry, conda-lock inherits this. In the past I have relaxed Poetry's upper bounds without consequence, but that does carry a minor risk of allowing untested versions. I have also successfully removed some dependencies without any impact on the functioning of conda-lock.

A similar complaint has also been raised by @bollwyvl in https://github.com/conda/conda-lock/issues/615#issuecomment-2245519920 and his subsequent two comments. I like his suggestion of modularity, and I currently believe it's the right thing to do, but it will take a lot of work.

In summary, some not-necessarily-exclusive approaches are:

  1. Frequently revendor Poetry so that the dependencies stay hopefully reasonably up-to-date.
  2. Relax upper bounds to reduce version conflicts. (Makes vendoring more difficult and risks breaking the tight coupling expected by Poetry.)
  3. Prune unneeded dependencies. (Risks introducing breakage in edge cases, and makes revendoring difficult.)
  4. Make conda-lock modular so that these requirements are unnecessary for pure-conda environments. (A lot of work.)
  5. Interface with pyrattler (pixi) to eventually remove Poetry. (A lot of work and time.)

Any thoughts, or suggestions for additional approaches?

maresb avatar May 03 '25 09:05 maresb