Discussion on options to pin Python package versions and manage python version bump lifecycles #7297
Replies: 5 comments 15 replies
-
One option that does not require changes to Meltano Core would be to run a periodic job on the Hub (perhaps mimicking what HubCap already does for dbt Hub), we could scrape versions and bump them from GitHub and/or PyPi. Then, all plugins on the hub would be pinned to specific Python versions - if and when pinnable versions exist for each library. Then, next time the user locks their plugin, or updates their lockfile from the hub, those definitions would be pinned to some version or version range. (And from there, they would either manually bump to get new features, or repeat the "update lockfile from hub" workflow.) This might only be a partial solve. It handles providing stability to the main (named) packages. It provides users an option to bump version by getting the latest from the Hub. It doesn't give robust constraints controls, and depending on if we provide ranges or not, it doesn't solve for whether patch releases should be auto-accepted or ignored. Another challenge is that attempting to bump multiple libraries on the Hub, which are all referenced on the same |
Beta Was this translation helpful? Give feedback.
-
Yes. Dependency version constraints are conceptually separate from pinned versions. Also, we don't get to decide what the version constraints are: that's up to the plugin authors. We are only providing a service on top of that by resolving those constraints into pinned versions.
The lockfiles. Platform-independent pinned Python deps with hashes will be thousands of lines of barely readable text, as we see with
Dependency version pinning/locking typically takes the latest version of each package that abides by the version constraints, and is compatible with all other pinned dependencies. As such, if the user wants to get the latest versions of transitive dependencies allowed by the constraints imposed by the plugin at the version they chose, they need only recreate the lock files by running
The version of the named package (i.e. the plugin itself) should be set by the user in We want to be able to commit lockfiles to a repository for reuse. That means that the lockfiles should be platform-independent, which is very difficult. I suggest we leverage Poetry's dependency resolver to tackle this problem, rather than trying to figure it out ourselves. Python makes it especially difficult because each Python package can change its dependencies dynamically at install-time. While our solution won't be perfect in the face of this challenge, the main factors we'll have to consider to make this work in a platform-independent way is:
Poetry handles those challenges well enough to be very useful for a large number of Python developers. We can probably work with that. |
Beta Was this translation helpful? Give feedback.
-
Thread Re CLI inteface
Referencing https://docs.meltano.com/reference/command-line-interface#lock for context. I think there are at least two things to tease out here:
I think minimal changes could probably accomodate this, but I just want to be mindful of the overloaded |
Beta Was this translation helpful? Give feedback.
-
Related discussion: #6445 |
Beta Was this translation helpful? Give feedback.
-
Agreed. But just to call out: this is due to lack of automation though and not at all by design. HubCap does this function for dbt Hub - bumping pinned referenced based on results of a daily scan. And if we did solve in the hub, then it is a valid alternative first iteration to the problem as a whole, since the Hub definitions fully encapsulate the first-use experience for plugins added to projects. It's not clear to me yet, if the code for finding a valid pinnable reference needs to be written anyway, whether this should first live on the Hub - which benefits all users of all Meltano versions, and also brings error handling out of the runtime experience - versus living in Meltano, where failures and exceptions will break users and where it can only benefit users on future versions of Meltano. Certainly it is good to have this in both places, but which should come first I think it still an open question in my mind. |
Beta Was this translation helpful? Give feedback.
-
Re:
Currently we have lockfiles to lock plugin definitions, but those plugin definitions are most often using unpinned repo references and/or unpinned PyPi references.
Today, users are advised to manually add version constraints to the
pip_url
declaration in their ownmeltano.yml
, which at that point would keep their project behaving consistently. We currently do not enforce or provide an automated way to pin those versions, nor do we offer a way to electively bump versions after they are pinned.We should come up with a plan to let users more effectively manage their Python versions.
Some things to consider:
Related:
Beta Was this translation helpful? Give feedback.
All reactions