Skip to main content

Poetry plugin to freeze a wheel's dependencies per lock file

Project description

Freeze Wheel Plugin

Poetry plugin for creating frozen wheels using lockfiles.

Why

A common issue when publishing a Python application's release into PyPI, is whether or not the dependencies specified will continue to work over time. This tends to happen due to a confluence of reasons, poor dependency specification, bad observance of semantic versioning, or poor release management by the dependency. That translates to a reality where installing an older release of the application is unlikely to work, due to changes in the underlying dependency graph.

The dependency ecosystem is both complex and fragile. The emergence of lock files to ensure repeatability is testimony both to the problem and one solution. Yet when we go to publish in the packaging ecosystem we do so with non frozen dependencies specifications not with lockfiles. That means the testing pipelines that goes to produce and validate a release is against a lockfile but the release artifact is divorced of the lockfile contents, and starts to diverge from the moment of publication.

The various language package distribution channels (npm, pypi, rubygems, etc) are used for two different primary distribution purposes, for both libraries and applications. Generally speaking the extant behavior is reasonable for a library. Libraries should be relatively liberal on their own dependencies baring perhaps major versions to minimize conflicts for applications depending on them and ideally consist of minimal dependencies graphs. But for applications distribution, repeatable and verifyable installs are fundamental goals with potentially large dependency graphs. Using a frozen dependency graph versus version specifications is the only way to ensure repeatiblity of installation over time. Fundamentally the two different distribution purposes have different audiences, ie. libraries have developers and applications as consumers, applications have users as consumers.

What

A post build / pre publish command to allow for creating wheels with frozen dependencies. Basically we update wheel metadata for Requires-Dist to replace the pyproject.toml based version specification to a frozen (ie. ==version) one based on the version from the poetry lock information.

Note we can't use poetry to publish because the frozen wheel because it uses metadata from pyproject.toml instead of frozen wheel metadata.

Optional Dependencies

Frozen wheel metadata will contain Provides-Extra entries for any extra / optional dependencies. Frozen Requires-Dist lines will specify extra names _for packages that appear only in the optional/extra dependency graph.

If a package appears as both a nested "main" dependency and also as an "extra" dependency, its Requires-Dist entry in the frozen wheel will not specify an extra name.

To define this behavior in relation to poetry's export plugin, these two flows should result in the same installed package set:

# Export Flow
poetry export -f requirements.txt > requirements.txt && pip install -r requirements.txt

# Freeze-wheel Flow
poetry build && poetry freeze-wheel && pip install my_frozen_wheel

And introducing extras:

# Export Flow
poetry export --extras gcp -f requirements.txt && pip install -r requirements.txt

# Freeze-wheel Flow
poetry build && poetry freeze-wheel && pip install my_frozen_wheel[gcp]

The difference is in when to choose which extras to install - export does that at freeze time. freeze-wheel embeds the extra context at freeze time, but defers the actual extra selection until install time.

Usage

# install plugin
poetry self add poetry-plugin-freeze

# build per normal
poetry build

# add freeze step
poetry freeze-wheel

# avoid freezing specific packages
poetry freeze-wheel --exclude boto3 -e attrs

# Note we can't use poetry to publish because it uses metadata from pyproject.toml instead
# of frozen wheel metadata.

# publish per normal
twine upload dist/*.whl

Mono-Repo Support

To support mono repos consisting of multiple libraries/applications, when creating a frozen wheel, main group dependencies specified by path can be optionally substituted out for references to their release artifact versions.

This assumes automation to run build and publish across the various subpackages, ie typically via make or just.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

poetry_plugin_freeze-1.0.6.tar.gz (27.0 kB view details)

Uploaded Source

Built Distribution

poetry_plugin_freeze-1.0.6-py3-none-any.whl (7.2 kB view details)

Uploaded Python 3

File details

Details for the file poetry_plugin_freeze-1.0.6.tar.gz.

File metadata

  • Download URL: poetry_plugin_freeze-1.0.6.tar.gz
  • Upload date:
  • Size: 27.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.1 CPython/3.10.12 Linux/6.5.0-1015-azure

File hashes

Hashes for poetry_plugin_freeze-1.0.6.tar.gz
Algorithm Hash digest
SHA256 317b9f87350f180915c6ec5202e9f807c6ef1b457bb8461747b25541e35df050
MD5 1c0bbefc4a511c9c0ad59d08d94dac9e
BLAKE2b-256 4d58c0819dd54d04f8f58a8e8b379e3ab6e62c81be102aa087df00c0a86f9cc4

See more details on using hashes here.

File details

Details for the file poetry_plugin_freeze-1.0.6-py3-none-any.whl.

File metadata

File hashes

Hashes for poetry_plugin_freeze-1.0.6-py3-none-any.whl
Algorithm Hash digest
SHA256 99b262b466d55f1e84872c2aff1236fbe523d085046764d107d2bbb8c9b6b622
MD5 d5115e679ef882b7eb7bca5d341573bf
BLAKE2b-256 5f3685f6be42d4662af67f551cd68fcb9d51d1106f729ca8d5b5613b98482e0a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page