this post was submitted on 17 Jan 2025
13 points (84.2% liked)

Python

6580 readers
63 users here now

Welcome to the Python community on the programming.dev Lemmy instance!

πŸ“… Events

PastNovember 2023

October 2023

July 2023

August 2023

September 2023

🐍 Python project:
πŸ’“ Python Community:
✨ Python Ecosystem:
🌌 Fediverse
Communities
Projects
Feeds

founded 2 years ago
MODERATORS
jnovinger
erlingur
norambna
13
PEP 735 does dependency group solve anything? (peps.python.org)
submitted 2 weeks ago by logging_strict to c/python
28 comments fedilink hide all child comments
 

PEP 735 what is it's goal? Does it solve our dependency hell issue?

A deep dive and out comes this limitation

The mutual compatibility of Dependency Groups is not guaranteed.

-- https://peps.python.org/pep-0735/#lockfile-generation

Huh?! Why not?

mutual compatibility or go pound sand!

pip install -r requirements/dev.lock
pip install -r requirements/kit.lock -r requirements/manage.lock

The above code, purposefully, does not afford pip a fighting chance. If there are incompatibilities, it'll come out when trying randomized combinations.

Without a means to test for and guarantee mutual compatibility, end users will always find themselves in dependency hell.

Any combination of requirement files (or dependency groups), intended for the same venv, MUST always work!

What if this is scaled further, instead of one package, a chain of packages?!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 2 weeks ago (22 children)

I didn't know about StrictYAML, we're really going in circles lol

TOML is already RW by Poetry, PDM, and uv.

[–] logging_strict 1 points 1 week ago* (last edited 1 week ago) (19 children)

Yeah, but should it be (rw)?

If it's rw, it's a database, not a config file.

No software designer thinks ... postgreSQL, sqlite, mariadb, duckdb, .... nah TOML

Or at least yaml turns out to be not a strange suggestion

[–] [email protected] 3 points 1 week ago (14 children)

You have a strange definition of "database". Almost every language I touch on a daily basis (JS, Rust, C#) uses their package meta file to declare dependencies as well, yet none of those languages treat it as a "database".

[–] logging_strict 1 points 1 week ago (1 children)

especially JS, some packages.json are super long. The sqlite author would blush looking at that

[–] [email protected] 1 points 1 week ago (1 children)

Sure, but why is that a bad thing when you have lots of direct dependencies?

[–] logging_strict 1 points 3 days ago

As the quantity and relationships complexity increases so to does the need for management tools to deal with the chaos.

Most Python coders cope by keeping things overly simple. Avoiding complexity at all costs.

Do you fully embrace requirement file complexity or do you avoid it?

  1. assume one venv

  2. has no way to deal with unavoidable incompatibilities

Which maybe due to: a package becoming unmaintained or overly zealous limiting allowed versions

  1. has no way to adapt to security vulnerabilities (e.g. CVE-2024-9287)

  2. has no intelligent way to normalize both direct and transitive dependency versions across lock files

load more comments (12 replies)
load more comments (16 replies)
load more comments (18 replies)