WX-1192 Updated semver versions for flagged dependencies #790
Conversation
… cython 3 or above, updated tox.ini and swagger-codegen-ignore
| @@ -0,0 +1 @@ | |||
| cython<3.0.0 | |||
There was a problem hiding this comment.
Will this constraint apply to every python package? I'm worried that it will end up causing more problems down the road as other packages begin to rely on new cython features. Is it possible to constrain just the problematic package?
There was a problem hiding this comment.
Yeah it will, however we pin dependencies to their exact values. If a fixed dependency updates it's Cython sub-dependency from v2 to v3 and still uses the deprecated features of Cython v2 then it'll break as well.
Constraining the version won't change the functionality of the library, and new features on a library would be tied to a version update which JM won't see due to pinned versions.
| @@ -2,6 +2,7 @@ | |||
| envlist = py310 | |||
|
|
|||
| [testenv] | |||
| setenv=PIP_CONSTRAINT={toxinidir}/constraints.txt | |||
There was a problem hiding this comment.
I believe it's good practice to include the constraints.txt inside a particular requirements.txt. I think it could make it a little easier down the road to figure out what is being constrained and why. This article seems helpful. Not a huge deal if there's some reason we can't do that.
There was a problem hiding this comment.
I went with the above per tox documentation here, which outlines setting constraints as seen above.
Didn't know you could do the above (most Github posts have people adding the -c <file name> flag to pip install), but seeing how it conflicts with the documented usage in tox I've opted for this instead.
That said I do need to update any pip install references to include the constraints flag. I'll add a new commit that does it.
There was a problem hiding this comment.
I'm in favor of doing what tox documentation does.
Good catch on the pip/docker stuff!
README.md
Outdated
| @@ -105,7 +105,7 @@ Monitors jobs launched by the [Cromwell workflow engine](https://github.com/broa | |||
| #### Notes | |||
| 1. Websocket reload on code change does not work in docker-compose (see | |||
| https://github.com/angular/angular-cli/issues/6349). | |||
| 2. Changes to `package.json` or `requirements.txt` or [regenerating the API](#updating-the-api-using-swagger-codegen) require a rebuild with: | |||
| 2. Changes to `package.json`, `requirements.txt` or `constraints.txt` [regenerating the API](#updating-the-api-using-swagger-codegen) require a rebuild with: | |||
There was a problem hiding this comment.
Happy to go with your preference here but can't miss this chance to stand up for the oxford comma.
…ints when installing PyYAML
|
Sorry, I'm going to ask for a re-review on my PR. While Turns out that using the Once the above completes, the Dockerfile will install the rest of the packages via |
JVThomas
dismissed
jgainerdewar’s stale review
Updated PR, requesting re-review
Addresses WX-1192
PR updates the
semverdependency insassto7.5.2in order to patch out a CVE present in older versions.There's also an additional backend update (unrelated to Sass) that was required due to a breaking sub-dependency update on
PyYAML. A constraints file was added to constrainCython's (the sub-dependency) version.