Add dependency locking

[edmondop]

The current setup with a single requirements.txt files do not provide version for dependencies. This works in the short term, but in the longer term when things stop working it would be really complicated to know what version of each dependency we were using.

The best practice should be to commit a lock file under version control, such as a pipenv.lock. However, we could also take the opportunities to move to poetry, which is more popular (25 k stars vs 4.7k stars compared to hatch), and a better support from tools in the ecosystem (mypy, flake8, etC)

[arjunbansal]

This sgtm. Tagging @nqn for any thoughts.

[nqn]

@edmondop With your poetry update, this should be fixed right?

[edmondop]

@edmondop With your poetry update, this should be fixed right?

That's correct. There is a poetry.lock under version control .

If you check the pyproject.toml, for example, the declared version for langchain is here https://github.com/log10-io/log10/blob/main/pyproject.toml#L31 and says: "anything including or above 0.0.242"

but the last time I performed an install and locked the dependencies, exactly 0.0.242 was installed (there was probably any newer). The poetry.lock is under version control, and shows this piece of information:

https://github.com/log10-io/log10/blob/main/poetry.lock#L994C1-L1004C2

So, whe you do a poetry install, the versions of the libraries are taken from the poetry.lock and not the pyproject.toml to ensure reproducibility over time, but you can update versions locally for development poetry install --upgrade I think