Skip to content

Chapter 9: Making a package evergreen

Package versioning strategy

  • Direct and indirect dependencies: Make sure to specify all your direct dependencies in your pyproject.toml file.
Danger

pip list will show direct and indirect dependencies all together.

Important

poetry show --tree will list the dependencies in a tree format, making it a clear distinction between direct and indirect dependencies. An alternative is pip-tools.

  • History behind the pip dependency resolution algorithm: Podcast.init episode 264

  • Dependency hell and the diamond dependency conflict. Prefer to use lower bound versioning for your dependencies; try to avoid upper-bound; and at all means, do not use pinned versions. Remember: only one version of each package can be installed at the same time within an environment.

  • Semantic versioning (most popular) and calendar versioning.
  • Use importlib.metadata.version to get the version specified in the pyproject.toml

Getting the most out of GitHub

  • Dependabot: You can configure this tool to track your dependencies (actions, pip requirements) and update them as a new release is detected. The Dependabot will create a pull-request that later you can revise and take action. More information here
  • You can configure Dependabot to run periodically, for example, at every week.
  • Code scanning with CodeQL: This is another tool that can be configured directly from the GitHub WebUI (or via an action if you need refined conditions). This tool will search for unsecure patterns in your code.
  • The particularity about CodeQL is that the community can contribute to their vulnerable pattern collection and everyone can take advantage of this. You can also create a CodeQL to search for a particular pattern in your repository that you want to avoid.
Important

Dependabot is magic! I am in love with it. For the simple python-project-model which is a fork of toml-dataclass, it found five dependency update: checkout action; python setup action; sphinx-rdt-theme; sphinx; and pypi-publish action.

  • Use coverage:report:fail_under in pyproject.toml to specify a minimum test coverage.

Pre-commit and pyupgrade

  • pyupgrade is a tool that will update your python syntax up to a python version.
  • pre-commit is a tool that allows you to execute some tasks before each commit.
Important

It is important to keep the pre-commit tasks lightweight. They should run very fast. Formatting and quick core testing are good candidates for pre-commit tasks.