Update dependencies documentation (#21511)

* chore(): install hashin on dev to pip other deps.

* Update dependencies documentation

* Update docs/topics/development/dependencies.md

Co-authored-by: Mathieu Pillard <diox@users.noreply.github.com>

---------

Co-authored-by: Mathieu Pillard <diox@users.noreply.github.com>
This commit is contained in:
Kevin Meinhardt 2024-03-12 08:50:52 +01:00 коммит произвёл GitHub
Родитель a8d2740bba
Коммит 4f8f719bfb
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
2 изменённых файлов: 33 добавлений и 11 удалений

Просмотреть файл

@ -7,20 +7,14 @@ We use pip to manage dependencies and hashin to lock versions. We use npm to man
### Adding Python Dependencies ### Adding Python Dependencies
We have 2 requirements files for python dependencies: We use `hashin <https://pypi.org/project/hashin>`_ to manage package installs. It helps you manage your ``requirements.txt`` file by adding hashes to ensure that the installed package versions match your expectations.
- prod.txt hashin is automatically installed in local developer environments.
- dev.txt
Prod dependencies are used by our django app in runtime.
They are strictly required to be installed in the production environment.
Dev dependencies are used by our django app in development or by tools we use for linting, testing, etc.
> If you add just the package name the script will automatically get the latest version for you. > If you add just the package name the script will automatically get the latest version for you.
```bash ```bash
hashin -r <requirements file> <dependency> hashin -r {requirements} {dependency}=={version}
``` ```
This will add hashes and sort the requirements for you adding comments to This will add hashes and sort the requirements for you adding comments to
@ -29,9 +23,34 @@ show any package dependencies.
When it's run check the diff and make edits to fix any issues before When it's run check the diff and make edits to fix any issues before
submitting a PR with the additions. submitting a PR with the additions.
### Upgrading Python Dependencies ### Managing Python Dependencies
We mostly rely on dependabot for this. TBD Add more details. We have 2 requirements files for python dependencies:
- prod.txt
- dev.txt
Prod dependencies are used by our django app in runtime.
They are strictly required to be installed in the production environment.
```bash
make update_deps_prod
```
Dev dependencies are used by our django app in development or by tools we use for linting, testing, etc.
```bash
make update_deps
```
We use dependabot to automatically create pull requests for updating dependencies. This is configured in the `.github/dependabot.yml` file targeting files in our requirements directory.
### Managing transitive dependencies
In local development and in CI we install packages using pip, reading from one or more requirements files and always passing the `--no-deps` flag.
This prevents pip from installing transitive dependencies.
We do this because it gives us control over the full dependency chain - we know exactly which version of what package is installed so we can fully reproduce & trust environments.
## Frontend ## Frontend

Просмотреть файл

@ -261,3 +261,6 @@ ruff==0.2.2 \
typing_extensions==4.10.0 \ typing_extensions==4.10.0 \
--hash=sha256:69b1a937c3a517342112fb4c6df7e72fc39a38e7891a5730ed4985b5214b5475 \ --hash=sha256:69b1a937c3a517342112fb4c6df7e72fc39a38e7891a5730ed4985b5214b5475 \
--hash=sha256:b0abd7c89e8fb96f98db18d86106ff1d90ab692004eb746cf6eda2682f91b3cb --hash=sha256:b0abd7c89e8fb96f98db18d86106ff1d90ab692004eb746cf6eda2682f91b3cb
hashin==0.17.0 \
--hash=sha256:4c03b3b1520a5117d8fdc26ae83c1267bc40da9925cd89b56b437bcb02bebb53 \
--hash=sha256:baa00fe209ee6800a7d09ffa3198b31d71ab1503730e7c172b7eccd01b6ec47e