Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unpin requirements #71

Merged
merged 1 commit into from
Apr 2, 2021
Merged

Conversation

adamchainz
Copy link
Contributor

lxml has a security release in version 4.6.3, however I cannot upgrade to it due to ansible-playbook-grapher pinning it directly. As an installable tool that can interact with a virtualenv, ansible-playbook-grapher should not pin dependencies but declare ranges up until the next backwards-incompatible version, to allow users to fetch such upgrades.

@haidaraM
Copy link
Owner

haidaraM commented Apr 1, 2021

Hi @adamchainz. Thank you for your contribution :-) Can you rebase your branch with the last version on master. I made a change to run GitHub actions on PR also.

I had thought about fixing the dependencies or not in the past. I preferred to fix them to avoid surprises when installing the grapher. Not sure at this time that minor dependency changes don't break the grapher :-/ This is one of the reason that dependabot is enabled on the project.

lxml has a security release in version 4.6.3, however I cannot upgrade to it due to ansible-playbook-grapher pinning it directly. As an installable tool that can interact with a virtualenv, ansible-playbook-grapher should not pin dependencies but declare ranges up until the next backwards-incompatible version, to allow users to fetch such upgrades.
@coveralls
Copy link

Coverage Status

Coverage remained the same at 94.33% when pulling 0984058 on adamchainz:unpin_requirements into 1d2eebd on haidaraM:master.

@adamchainz
Copy link
Contributor Author

I don't pin requirements on any of the 30 open source projects I maintain and it is basically never a problem. Most packages are pretty stable in Python. And anyway, users should be pinning their requirements so they can find and report any incompatibilities to you.

I do pin requirements in my projects' test runs though, and upgrade them every 2 weeks. This gives me repeatable builds and means I catch any necessary changes soon enough.

@haidaraM
Copy link
Owner

haidaraM commented Apr 2, 2021

You are right

@haidaraM haidaraM merged commit b2a80da into haidaraM:master Apr 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants