-
-
Notifications
You must be signed in to change notification settings - Fork 610
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support selective ignoring of package dependencies #1645
base: main
Are you sure you want to change the base?
Conversation
for more information, see https://pre-commit.ci
Rebased on 6.8.0. The |
Just out of curiosity, what's your real-world use case for this feature?
Note the legacy resolver is deprecated and will be removed soon, which is why we don't accept new features related to it. |
Thanks for your interest. My real-world use case is the So when I install
meaning, "I don't want Basically, package maintaners sometimes fail to use |
Move python-jose dependency to requirements.in, as it's not just a development dependency. It's needed by the actual server too; via django-helusers, but still. Use the `cryptography` backend with python-jose, which is the recommended choice. Python-jose depends on `ecdsa`, `pyasn1` and `rsa` packages, but it doesn't need them when the `cryptography` backend is used. Those packages are excluded from the requirements.txt file by using --unsafe-package arguments with pip-compile. This works for now, since python-jose is the ONLY package that depends on those packages. If any other package update needs any of those other dependencies, then they need to be allwed again. There is a proposal to pip-tools [1] to provide a better tool for this kind of use case, but it hasn't been accepted. In order to not get those unnecessary dependencies installed anyways, the --no-deps argument needs to be given to `pip`. This was added to Dockerfile. [1] jazzband/pip-tools#1645
Move python-jose dependency to requirements.in, as it's not just a development dependency. It's needed by the actual server too; via django-helusers, but still. Use the `cryptography` backend with python-jose, which is the recommended choice. Python-jose depends on `ecdsa`, `pyasn1` and `rsa` packages, but it doesn't need them when the `cryptography` backend is used. Those packages are excluded from the requirements.txt file by using --unsafe-package arguments with pip-compile. This works for now, since python-jose is the ONLY package that depends on those packages. If any other package update needs any of those other dependencies, then they need to be allwed again. There is a proposal to pip-tools [1] to provide a better tool for this kind of use case, but it hasn't been accepted. In order to not get those unnecessary dependencies installed anyways, the --no-deps argument needs to be given to `pip`. This was added to Dockerfile. [1] jazzband/pip-tools#1645
Greetings, and thanks for this great library.
This is another PR addressing the "exclude-type" operations discussed in #333, and it is complementary to #1509.
#1509 lets you say: "After resolving the whole dependency graph, delete these nodes out of it."
This PR lets you say two different things:
"I want package
A
without requiring any of its dependencies." (cf. pip's--no-deps
)"The authors of package
A
made it depend onB
andC
. But when I useA
I don't needC
. So treatA
as if it didn't depend onC
."Usage looks like:
or
respectively.
Critically, we are not deleting nodes from the dependency graph, we are deleting edges, and refusing to follow them.
This means we are happy for some other package to bring a node into the graph, should that ever happen. So with this graph,
as long as I depend only on
A
, I wantpip-compile --cut-deps A:C
to keepC
,F
,G
out of my installation.However, if some day I add
X
to my project, then I'm happy forC
,F
,G
to come in.Contributor checklist
Maintainer checklist
backwards incompatible
,feature
,enhancement
,deprecation
,bug
,dependency
,docs
orskip-changelog
as they determine changelog listing.