runtime: bump pkginfo to ~1.12 #311
Conversation
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
| # NOTE: 1.12.0 and later enable support for metadata 2.4 | ||
| # NOTE: This can be dropped once twine stops using pkginfo | ||
| # Ref: https://github.com/pypa/twine/pull/1180 | ||
| pkginfo ~= 1.12.0 |
There was a problem hiding this comment.
I prefer indirect deps to go into a dedicated constraint file… Though, since there are precedents of having them here, this request is out of the scope of this PR. It's something to address separately.
There was a problem hiding this comment.
Yeah, I feel bad about this being here. The "good" news is that I can revert it pretty much immediately once it's locked, since pip won't downgrade it. But I don't know if that's better or worse 😅
There was a problem hiding this comment.
@woodruffw here's a pattern I came up with and started using in many places: https://github.com/ansible/awx-plugins/blob/e7d5733/dependencies/direct/py.in / https://github.com/ansible/awx-plugins/blob/e7d5733/dependencies/direct/py-constraints.in. Basically, any limitations, including transitive deps, are maintained in a separate file that does not contribute its entries to a list of "user install requests" but to "restrict if met during dependency resolution".
So I experimented with Maturin in #312, and it reproduces the issue and shows that this PR fixes it. I'm going to pull that into this PR soon, cleaning up the commits. Hold tight! P.S. I was hoping to find something more lightweight, but it appears that the version of Hatchling producing metadata 2.4 is unreleased (perhaps, waiting for us? — there's no public explanation and I filed pypa/hatch#1842). Poetry is unclear on what it produces, the change log doesn't mention it. I looked into the test suites for pip and twine but decided to postpone porting the wheel creation here, maybe I'll do so later. That's why I'm keeping Maturin for now, it adds 18 seconds to the CI job. |
|
Since I can't push to this branch, I'm going to complete this in #313. |
This follows #309 and should fix the metadata issues more thoroughly, since pkginfo 1.12 includes support for metadata 2.4.
See #310
CC @webknjaz