pyupio
Pin packages with >= ranges?
There has been a lot of discussion during the beta if packages that have a >= range should be pinned. This came up recently again and I think it should be discussed.
What is a >= range?
A line with e.g. requests>=2.7 tells pip to install requests with at least 2.7 and everything above that.
What's happening The updater won't pin the package.
Why?
There is a use case that makes the current behaviour pretty neat: Indirect dependencies.
Let's consider the following fictional example: A codebases has a direct dependency some-package.
some-package=1.0.3
some-package is pulling in a second, indirect dependency requests. This happens all the time and is nothing to worry about per se, but can lead to problems if some-package's setup.py is not very well maintained and if a specific version of requests is known broken with it.
This can be fixed on the project level with a requirement file like this:
some-package=1.0.3
requests>=2.7 # some package has problems with requests <=2.7, just make sure we don't use that
It indicates that the project itself doesn't really care about requests and just want to make sure that everything above 2.7. is installed.
The more I think about it, I'm in favor of ditching this behaviour. It has it's use case but is confusing. Problems like this happen, but the updater shouldn't make smart guesses about that.
I agree with you that packages with >= shouldn't be pinned, but the bot could generate new PR updating the version, i.e
requests>=2.7
generate a PR that change it for:
requests>=2.13.0
It could be useful for deprecating old versions, and in my particular case I want to use pyup for requirements of a cookiecutter template, and generate a template with pinned dependencies could be a bad idea (not all people that will use the template will configure pyup, and will stuck with old dependencies)
Maybe this is not the expected default behavior, but could be an option for track >= dependencies
