PEP 735 does dependency group solve anything?
(peps.python.org)
from logging_strict@programming.dev to python@programming.dev on 17 Jan 2025 02:13
https://programming.dev/post/24160206
from logging_strict@programming.dev to python@programming.dev on 17 Jan 2025 02:13
https://programming.dev/post/24160206
PEP 735 what is it’s goal? Does it solve our dependency hell issue?
A deep dive and out comes this limitation
The mutual compatibility of Dependency Groups is not guaranteed.
– peps.python.org/pep-0735/#lockfile-generation
Huh?! Why not?
mutual compatibility or go pound sand!
pip install -r requirements/dev.lock pip install -r requirements/kit.lock -r requirements/manage.lock
The above code, purposefully, does not afford pip a fighting chance. If there are incompatibilities, it’ll come out when trying randomized combinations.
Without a means to test for and guarantee mutual compatibility, end users will always find themselves in dependency hell.
Any combination of requirement files (or dependency groups), intended for the same venv, MUST always work!
What if this is scaled further, instead of one package, a chain of packages?!
#python
threaded - newest
Limitations of requirements.txt files
– peps.python.org/pep-0735/#limitations-of-requirem…
The only benefit i can see, is to attempt to bring requirements files into
pyproject.tomland an additional layer to abstract away from pip.^^ this does not keep me awake at night nor is it a substitute for porn
The PEP author’s intentions are good, puts focus on a little discussed topic.
The outcome … questionable
If this is all it’s doing, that’s not enough. Ignores the elephant in the room.
Which are
fixing dependency conflicts
mutual compatibility
Fixing dependency conflicts would be easier if can work with existing proven tooling. Which acts upon r/w files rather than pyproject.toml, a config file; shouldn’t constantly be updated.
reqs.txt files are not standardized and pip can read from a
pyproject.toml- which is - usingpip install .there are still many unresolved matters with dependency resolution, but we need to leave
requirements.txtfiles behind.Throwing out an alternative. Not making the assumption that more TOML is better. Cuz the contents of those
requirements.txtfiles are rw, not ro. I seepyproject.tomlas a ro configuration file.Do you agree or should
pyproject.tomlbe rw?Another option, strictly validated YAML.
For the configuration section, before parsing occurs, strict validation occurs against a schema.
TOML vs strictyaml – hitchdev.com/strictyaml/why-not/toml/
I didn’t know about StrictYAML, we’re really going in circles lol
TOML is already RW by Poetry, PDM, and uv.
Yeah, but should it be (rw)?
If it’s rw, it’s a database, not a config file.
No software designer thinks … postgreSQL, sqlite, mariadb, duckdb, … nah TOML
Or at least yaml turns out to be not a strange suggestion
it’s a config file that should be readable and writeable by both humans and tools. So yeah, it makes sense.
And I don’t lile yaml personally, so that’s a plus to me. My pet peeve is never knowing what names before a colon are part of the schema and which ones are user-defined. Even with strictyaml, reading the nesting only through indentation is harder than in toml.
You are not wrong, yaml can be confusing.
Recently got tripped up on sequence of mapping of mapping. Which is just a simple list of records.
But for the life of me, couldn’t get a simple example working.
Ended up reversed the logic.
Instead of parsing a yaml str. Created the sample list of dict and asked strictyaml to produce the yaml str.
Turns out the record is indented four spaces, not two.
- file: "great_file_name_0.yml" key_0: "value 0" - file: "great_file_name_1.yml" key_0: "value 0"Something like ^^. That is a yaml database. It has records, a schema, and can be safely validated!
The strictyaml documentation covers ridiculously simple cases. There are no practical examples. So it was no help.
Parser kept complaining about duplicate keys.
uh… a database implies use of a database management system. I don’t think saying that a YAML/TOML/JSON/whatever file is a database is very useful, as these files are usually created and modified without any guarantees.
It’s not even about being incorrect, it’s just not that useful.
But it’s treated 100% like a crappy CRUD database with no modern features or SQL
it’s a file containing records with a strict schema. And nothing else
You have a strange definition of “database”. Almost every language I touch on a daily basis (JS, Rust, C#) uses their package meta file to declare dependencies as well, yet none of those languages treat it as a “database”.
In this super specific case, the data that is being worked with is a many list of dict. A schema-less table. There would be frequent updates to this data. As package versions are upgraded, fixes are made, and security patches are added.
It’s not schemaless at all, it’s a dictionary of string to string. Not that complex.
The strictyaml schema holds a pinch of nuance.
The value argument is automagically coersed to a str. Which is nice; since the field value can be either integer or str. And i want a str, not an int.
A Rust solution would be superior, but the Python API is reasonable; not bad at all.
I’m not sure what you’re talking about. My point was that dependency definitions in pyproject.toml aren’t schemaless.
strict schema and a spec are not the same. package pyproject-validate can check if a pyproject.toml follows the spec, but not be using a strict schema.
A schema is similar to using Rust. Every element is strictly typed. Is that an int or a str is not enforced by a spec
If there was a strict schema, package pyproject-validate would be unnecessary
Wait. So there’s a tool that allows you to validate
pyproject.tomlfiles (since this file can be extended by any tool), and that somehow proves that dependency declarations inpyproject.tomlare schemaless? They literally use a JSON Schema for validating exactly this: …readthedocs.io/…/json-schemas.htmlIgnoring concurrency.
For a write to be transactional, validate-pyproject would need to be called:
Once prior to the read and again prior to the write.
Is that occurring always?
Haven’t checked if validate-pyproject has an API, so can be called on a str rather than only a file.
It seems you’re describing a lock file. No one is proposing to use or currently using pyproject.toml as a lock file. And even lock files have well defined schemas, not just an arbitrary JSON-like object.
then i’m misunderstanding what data
dependencies groupsare supposed to be storing. Just the equivalent of requirements.in files and mapping that to a target? And no-c(constraints) support?!Feels like tying one of hands behind our back.
see packaging.python.org/en/…/dependency-groups/#depe…
There’s a few edge cases on parsing dependency urls. So it’s not completely black and white.
just have to read over to pip-compile-multi to see that. (i have high praise for that project don’t get me wrong)
especially JS, some packages.json are super long. The sqlite author would blush looking at that
Sure, but why is that a bad thing when you have lots of direct dependencies?
As the quantity and relationships complexity increases so to does the need for management tools to deal with the chaos.
Most Python coders cope by keeping things overly simple. Avoiding complexity at all costs.
Do you fully embrace requirement file complexity or do you avoid it?
assume one venv
has no way to deal with unavoidable incompatibilities
Which maybe due to: a package becoming unmaintained or overly zealous limiting allowed versions
has no way to adapt to security vulnerabilities (e.g. CVE-2024-9287)
has no intelligent way to normalize both direct and transitive dependency versions across lock files
Highly suggest reading the strictyaml docs
The author lays out both
Why
Why not
Should be required reading for anyone dealing with config files, especially those encountering yaml.
Warning: After reading these, and confirming the examples yourself, seeing packages using pyyaml will come off as lessor
Not in circles, this is helping for me.
If you have strong support for a rw toml, would like to hear your arguments
I think you’re expecting this PEP to be something that it is not. It is not supposed to be a full solution to dependency hell (which I’m not really sure that there is). It is supposed to just allow a static method to declare dependencies, notably supporting both Python package and non-Python-package dependencies. There are plenty of use cases for when you might want incompatible sets of dependencies, for a simple example consider a graphics library with both a Vulkan and OpenGL backend. You could reasonably argue that you should allow both to coexist and just select the best one at runtime, but when you’re dealing with native libraries that’s not always possible, and there is no way to make a guarantee about compatibility without excluding all non-pure Python dependencies.
Wasn’t aware that this PEP is including non-Python package dependencies or how that affects dependency resolution.
Managing python dependencies is challenging enough
setuptools maintainers discuss pyproject.toml validation.
“I was under the impression that PyPI implements validation of the distribution files metadata, but if it does, the validation is not very strict. What is validated strictly is the form data that is sent alongside the distribution files. That can be tweaked as needed to support the metadata emitted by existing setuptools releases.
pip is most likely the most permissive consumer of metadata, thus I don’t expect it to do any validation.”
github.com/pypa/setuptools/issues/4759#issuecomme…
Here is the spaghetti code doing the validation as of
setuptools-75.8.0Found this out when investigating pep639 support issues. Long story short not yet fully implemented.