Dependency is a nightmare for many people. Some even consider them technical debt. Managing your software’s library list can be a terrifying experience. Automatically update dependencies? – That sounds like nonsense.

Stay tuned as I help you better master something you can’t get rid of in practice — unless you’re very rich and talented enough to live without someone else’s code.

First, we need to be clear about dependencies: there are two types of dependencies. Donald Stuff wrote a better article on this subject a few years ago than I will. To put it more simply, they are two types of code packages that depend on external code: applications and libraries.

Library dependencies

Python libraries should specify their dependencies in a common way. A library should not require Requests 2.1.5: that doesn’t make sense. If each library requires different versions of Requests, we can’t use them all together. Finally, if your time is not very tight, and want to quickly improve, the most important thing is not afraid of hardship, I suggest you can contact Wei: 762459510, that is really good, many people progress quickly, need you not afraid of hardship oh! You can go to add a look at ~

Libraries need to declare dependencies based on the range of version numbers. Requesting requests>=2 is correct. If you know requests2.x is not available for the library, it is also correct to ask for requests>=1,<2. The problem your version-scoping definition is addressing is API compatibility between your code and dependencies — nothing else. This is a good reason for libraries to use semantic versioning whenever possible.

Therefore, dependencies should be written in setup.py, something like:

This way, any application can easily use the library and coexist with other applications.

Application dependencies

An application is just a special case of a library. They are not intended to be reused (imported) by other application libraries — although in practice there is nothing to stop it.

Finally, this means that you should specify dependencies in your application’s setup.py as if you were specifying dependencies for a library.

The main difference is that an application is typically deployed in a production environment to provide its services. The deployment needs to be reusable. To do this, you can’t just rely on setup.py: the dependencies of the request are too wide. When redeploying an application, you want to be free to change versions at any time.

Therefore, you need a different version management mechanism to handle deployment, not just setup.py.

Pipenv has a section in its documentation that summarizes this nicely. It divides dependency types into abstract dependencies and concrete dependencies: abstract dependencies are based on scopes (such as libraries), while concrete dependencies are specified with precise versions (such as application deployment) — as we see here.

Handle deployment

The requirements.txt file has long been used to address reusability issues for application deployments. It usually looks like this:

Each library designates itself as a microversion. This ensures that each of your deployments will install the same version of the dependency. Using requirements.txt is a simple solution and the first step towards reusable deployment. However, this is not enough.

In fact, while you can specify the version of requests you want, if requests relies on URllib3, this will cause PIP to install URllib 2.1 or URllib 2.2. You don’t know which one will be installed, and that doesn’t make your deployment 100% reusable.

Sure, you could copy all the Requests dependencies in your requirements.txt, but that would be crazy!

An application dependency tree can sometimes be very deep and complex.

There are all sorts of techniques that can be used to fix this limitation, but the real saviors are Pipenv and Poetry. Their approach to this problem is similar to that of many package managers in other programming languages. They generate a lock file that contains a list and version numbers of all installed dependencies (and their own dependencies, etc.). This ensures that the deployment is 100% reusable. Finally, if your time is not very tight, and want to quickly improve, the most important thing is not afraid of hardship, I suggest you can contact Wei: 762459510, that is really good, many people progress quickly, need you not afraid of hardship oh! You can go to add a look at ~

Check out their documentation for information on how to set them up and use them!

Handle dependency updates

Now that you have the lock file that ensures your deployment is reusable for a short period of time, you have another problem. How do you make sure your dependencies are up to date? This is a real security issue, and by staying behind, you may also miss out on bug fixes and optimizations.

If your project is hosted on GitHub, Dependabot is a great solution to this problem. Enabling the application on the repository will automatically create merge requests when a new version of the repository listed in your lock file becomes available. For example, if you have deployed your application using Redis 3.3.6, Dependabot will create a merge request to update to Redis 3.3.7 when the new version is released. Dependabot also supports requirements.txt, pipenv and poetry!

Dependabot is updating Jinja2 for you

Automatic deployment updates

We’re almost there. You have a bot that lets you know that a new version of a library is available for your project.

Once the merge request is created, your continuous integration system starts, deploys your project, and runs tests. If all goes well, your merge request can be merged. But do you really need to be involved in the process?

Unless you have a personal distaste for a particular version number — “God, I hate versions that end in 3. It’s always bad luck. — or unless you don’t have automated tests, you, human, are useless. This merge can be completely automated.

This is where Mergify comes in. Mergify is a GitHub application that allows you to define precise rules on how to merge merge requests. Here’s a rule I use for each project:

Mergify reports when the rules match perfectly.

Once your continuous integration system is approved, Mergify will merge the merge request for you.

You can then automatically trigger your deployment hooks to update your production deployment and install the new library version immediately. This will allow your application to always be updated with newer libraries and not be a few years behind the release.

If anything goes wrong, you can still restore the submission from Dependabot – you can also automatically restore the submission if you wish to use a Mergify rule.

digression

To me, this is the current state of the dependency management lifecycle. While this works well for Python, it can also be applied to many other languages that use similar patterns, such as Node and NPM.

Materials video tutorial collection method:

1. Like + Comment (check “Simultaneously forward”)

2, pay attention to xiaobian. And private message reply keyword [information] (must be private message oh ~ click my avatar can see the private message button)