hey all is it possible to override the version of a transiti Pants #general

Join Slack

hey all, is it possible to override the version of...

# general

wooden-ability-49079

11/01/2023, 7:07 PM

hey all, is it possible to override the version of a transitive dependency in a`python_distribution`??

✅ 1

curved-television-6568

11/01/2023, 8:17 PM

the version comes from the lockfile, and there’s no version field for dependencies beyond the

python_requirement

target, so no, you can not override that on the

python_distribution

. What’s the motivation to override it?

wooden-ability-49079

11/01/2023, 8:20 PM

for example upgrading a transitive dependency due to security issues

curved-television-6568

11/01/2023, 8:24 PM

if you’re using lockfiles, regenerating the lockfile should pick up the latest available compatible versions, so unless there’s a pin on the transitive dependency that should get the upgrade.

wooden-ability-49079

11/01/2023, 8:25 PM

and if there is a pin to a particular version?

curved-television-6568

11/01/2023, 8:26 PM

if you have a dep chain like: A -> B -> C. Where there is a new security fix released for C, and you depend on A, and B has a pin on C, you need to fork or otherwise get B updated. This would be true also without pants in the picture..

curved-television-6568

11/01/2023, 8:27 PM

i.e. if you override the version for C, pip install will complain about the version of C not being what B asks for.

wooden-ability-49079

11/01/2023, 8:31 PM

yeap agreed this is true with/without pants, thanks.

wooden-ability-49079

11/01/2023, 8:32 PM

another tangential question, I notice apnts has the ability to ignore dependencies. Am I reading right that if you have A -> B ->C->D, I can write an ignore rule for C, that would effectively create a package like this: A->B->//?

curved-television-6568

11/01/2023, 8:34 PM

you can only ignore dependencies from your project.. the terminology is kind of fuzzy here, so if you have a transitive dependency (within your project) to some third party library (a python_requirement target, say) then you can exclude that with a

!!target-address

in the dependencies field of any of your targets.. but you can’t exclude transitive dependencies that go beyond the targets you have declared, if that makes sense.

curved-television-6568

11/01/2023, 8:36 PM

in other words, you can exclude any dependency that you can address

curved-television-6568

11/01/2023, 8:36 PM

i.e. that is included when you do

pants list ::

wooden-ability-49079

11/01/2023, 8:36 PM

gotcha, I think I follow what you mean

little-pilot-11155

11/03/2023, 11:06 AM

I was looking into similar functionality as we wanted to pin one of the transitive dependencies. The issue is that

python_distribution

will only add your direct dependencies to METADATA file (for wheel), leaving dependency resolution to pip when you install your distribution. You can add your transitive dependency to the distribution as Andreas suggested (so you create

python_requirement

for it and then you add it to

python_distribution

under either

dependencies

or inside one of your sources). But that would increase the size of your package. One of the options that I am considering is to use pip's constraints file. If you ship it alongside your Python distribution file, you can then install it with

pip install --constraint constraint.txt your_distribution_file

2 Views

Open in Slack

Previous Next