Skip to content

Lock test dependencies #16283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 21, 2023
Merged

Lock test dependencies #16283

merged 2 commits into from
Oct 21, 2023

Conversation

hauntsaninja
Copy link
Collaborator

@hauntsaninja hauntsaninja commented Oct 18, 2023
edited
Loading

This was discussed in the contributor meetup today. This is a simple solution that requires very few changes. If you want to upgrade the lock file, you can pass --upgrade or just delete it and regenerate.

@github-actions

This comment has been minimized.

Sign in to view
AlexWaygood
AlexWaygood approved these changes Oct 18, 2023
View reviewed changes
Copy link
Member

@AlexWaygood AlexWaygood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

sobolevn
sobolevn reviewed Oct 20, 2023
View reviewed changes
test-requirements.txt Outdated
# This file is autogenerated by pip-compile with Python 3.11
# by the following command:
#
# pip-compile --output-file=test-requirements.txt --unsafe-package=typed-ast test-requirements.in
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need --unsafe-package=typed-ast part?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mention this in PR description, it's completely arbitrary, passing this results in pip-compile locking setuptools which is desirable since setuptools has caused us CI failures in the past

sobolevn
sobolevn reviewed Oct 20, 2023
View reviewed changes
Copy link
Member

@sobolevn sobolevn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I propose to instead use: --no-strip-extras --generate-hashes --allow-unsafe

  1. --no-strip-extras silences this warning:
WARNING: --strip-extras is becoming the default in version 8.0.0. To silence this warning, either use --strip-extras to opt into the new default or use --no-strip-extras to retain the existing behavior.
  1. --allow-unsafe is enough to have these line in lock file:
# The following packages are considered to be unsafe in a requirements file:
setuptools==68.2.2 \
    --hash=sha256:4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87 \
    --hash=sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a
    # via
    #   -r r.txt
    #   nodeenv
  1. Hashes are just great: less chance of MiM attack, etc

@hauntsaninja
Copy link
Collaborator Author

Thanks, I added points one and two. I didn't add hashes, I don't understand what the threat model would be for mypy's dev dependencies and I'm certainly not vetting provenance

@hauntsaninja hauntsaninja merged commit ff8cebb into python:master Oct 21, 2023
@hauntsaninja hauntsaninja deleted the dev-dep branch October 21, 2023 07:23
@github-actions
Copy link
Contributor

According to mypy_primer, this change doesn't affect type check results on a corpus of open source code. ✅

@KotlinIsland
Copy link
Contributor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sobolevn sobolevn sobolevn left review comments

@AlexWaygood AlexWaygood AlexWaygood approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hauntsaninja @KotlinIsland @sobolevn @AlexWaygood