Opened 8 months ago

Closed 10 days ago

#29484 closed task (fixed)

Update the requirements.txt and freeze them on release

Reported by: dgoulet Owned by: phw
Priority: Medium Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Normal Keywords: bridgedb, anti-censorship-roadmap-september
Cc: cohosh, gaba, phw Actual Points: 2.1
Parent ID: #31280 Points: 2
Reviewer: cohosh Sponsor: Sponsor30-can

Description

The requirements.txt file has package versions that are pinned and some are very old by now.

I've done a quick test and using all the latest works with a very minor fix in the code so far.

We should have a development one that uses the latest packages (maybe?) and then use a minimal one that we use when we release (pip freeze).

This way, we keep up to date with everything and do not fall into the risk of having huge security holes because old dependencies for instance.

Child Tickets

Change History (9)

comment:1 Changed 4 months ago by gaba

Keywords: ex-sponsor-19 added

Adding the keyword to mark everything that didn't fit into the time for sponsor 19.

comment:2 Changed 4 months ago by phw

Sponsor: Sponsor19Sponsor30-can

Moving from Sponsor 19 to Sponsor 30.

comment:3 Changed 4 months ago by gaba

Owner: dgoulet deleted

dgoulet will assign himself to the ones he is working on right now.

comment:4 Changed 3 months ago by phw

Cc: gaba added
Owner: set to phw

comment:5 Changed 3 months ago by gaba

Cc: phw added
Keywords: anti-censorship-roadmap-september added; ex-sponsor-19 removed
Points: 12

comment:6 Changed 3 weeks ago by gaba

Parent ID: #31280

comment:7 Changed 12 days ago by phw

Reviewer: sysrqbcohosh
Status: assignedneeds_review

Phew, that was more work than I anticipated. I just pushed a patch set that updates all of BridgeDB's requirements to their latest respective versions:
https://github.com/NullHypothesis/bridgedb/compare/develop...fix/29484

All unit tests pass and the code works in production.

I also added a script, check-for-new-dependencies, which goes over our dependencies and checks for new versions. We should run it before each release.
/edit: There already is a tool for that: pur. It takes as input a requirements.txt file and checks for new versions. I added instructions to doc/HACKING.md on how to run pur. Is this reasonable? Or are we better off doing a pip freeze?

Last edited 11 days ago by phw (previous) (diff)

comment:8 Changed 11 days ago by cohosh

Status: needs_reviewmerge_ready

Nice, this code looks good and I appreciate the addition to doc/HACKING.md

Or are we better off doing a pip freeze?

I don't have firsthand experience with this, but for what it's worth, using pur seems fine. If we want to use packages that aren't the latest version, we can always manually edit the requirements.txt files. They aren't so large that this would be an intractable task.

comment:9 Changed 10 days ago by phw

Actual Points: 2.1
Resolution: fixed
Status: merge_readyclosed

I merged the patch set in commit 53bcb77.

Note: See TracTickets for help on using tickets.