Update dependencies documentation (#21511)
* chore(): install hashin on dev to pip other deps. * Update dependencies documentation * Update docs/topics/development/dependencies.md Co-authored-by: Mathieu Pillard <diox@users.noreply.github.com> --------- Co-authored-by: Mathieu Pillard <diox@users.noreply.github.com>
This commit is contained in:
Родитель
a8d2740bba
Коммит
4f8f719bfb
|
@ -7,20 +7,14 @@ We use pip to manage dependencies and hashin to lock versions. We use npm to man
|
||||||
|
|
||||||
### Adding Python Dependencies
|
### Adding Python Dependencies
|
||||||
|
|
||||||
We have 2 requirements files for python dependencies:
|
We use `hashin <https://pypi.org/project/hashin>`_ to manage package installs. It helps you manage your ``requirements.txt`` file by adding hashes to ensure that the installed package versions match your expectations.
|
||||||
|
|
||||||
- prod.txt
|
hashin is automatically installed in local developer environments.
|
||||||
- dev.txt
|
|
||||||
|
|
||||||
Prod dependencies are used by our django app in runtime.
|
|
||||||
They are strictly required to be installed in the production environment.
|
|
||||||
|
|
||||||
Dev dependencies are used by our django app in development or by tools we use for linting, testing, etc.
|
|
||||||
|
|
||||||
> If you add just the package name the script will automatically get the latest version for you.
|
> If you add just the package name the script will automatically get the latest version for you.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
hashin -r <requirements file> <dependency>
|
hashin -r {requirements} {dependency}=={version}
|
||||||
```
|
```
|
||||||
|
|
||||||
This will add hashes and sort the requirements for you adding comments to
|
This will add hashes and sort the requirements for you adding comments to
|
||||||
|
@ -29,9 +23,34 @@ show any package dependencies.
|
||||||
When it's run check the diff and make edits to fix any issues before
|
When it's run check the diff and make edits to fix any issues before
|
||||||
submitting a PR with the additions.
|
submitting a PR with the additions.
|
||||||
|
|
||||||
### Upgrading Python Dependencies
|
### Managing Python Dependencies
|
||||||
|
|
||||||
We mostly rely on dependabot for this. TBD Add more details.
|
We have 2 requirements files for python dependencies:
|
||||||
|
|
||||||
|
- prod.txt
|
||||||
|
- dev.txt
|
||||||
|
|
||||||
|
Prod dependencies are used by our django app in runtime.
|
||||||
|
They are strictly required to be installed in the production environment.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make update_deps_prod
|
||||||
|
```
|
||||||
|
|
||||||
|
Dev dependencies are used by our django app in development or by tools we use for linting, testing, etc.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make update_deps
|
||||||
|
```
|
||||||
|
|
||||||
|
We use dependabot to automatically create pull requests for updating dependencies. This is configured in the `.github/dependabot.yml` file targeting files in our requirements directory.
|
||||||
|
|
||||||
|
### Managing transitive dependencies
|
||||||
|
|
||||||
|
In local development and in CI we install packages using pip, reading from one or more requirements files and always passing the `--no-deps` flag.
|
||||||
|
This prevents pip from installing transitive dependencies.
|
||||||
|
|
||||||
|
We do this because it gives us control over the full dependency chain - we know exactly which version of what package is installed so we can fully reproduce & trust environments.
|
||||||
|
|
||||||
## Frontend
|
## Frontend
|
||||||
|
|
||||||
|
|
|
@ -261,3 +261,6 @@ ruff==0.2.2 \
|
||||||
typing_extensions==4.10.0 \
|
typing_extensions==4.10.0 \
|
||||||
--hash=sha256:69b1a937c3a517342112fb4c6df7e72fc39a38e7891a5730ed4985b5214b5475 \
|
--hash=sha256:69b1a937c3a517342112fb4c6df7e72fc39a38e7891a5730ed4985b5214b5475 \
|
||||||
--hash=sha256:b0abd7c89e8fb96f98db18d86106ff1d90ab692004eb746cf6eda2682f91b3cb
|
--hash=sha256:b0abd7c89e8fb96f98db18d86106ff1d90ab692004eb746cf6eda2682f91b3cb
|
||||||
|
hashin==0.17.0 \
|
||||||
|
--hash=sha256:4c03b3b1520a5117d8fdc26ae83c1267bc40da9925cd89b56b437bcb02bebb53 \
|
||||||
|
--hash=sha256:baa00fe209ee6800a7d09ffa3198b31d71ab1503730e7c172b7eccd01b6ec47e
|
||||||
|
|
Загрузка…
Ссылка в новой задаче