~sirodoht/mataroa

mataroa/docs/dependencies.md -rw-r--r-- 1.7 KiB
c8509fcfTheodore Keloglou remove stray paragraph closing tag from modus 5 days ago

#Dependencies

#Dependency Policy

The mataroa project has an unusually strict yet usually unclear dependency policy.

Vague rules include:

  • No third-party Django apps.
  • All Python / PyPI packages should be individually vetted.
    • Packages should be published from community-trusted organisations or developers.
    • Packages should be actively maintained (though not actively developed).
    • Packages should hold a high quality of coding practices.
  • No JavaScript libraries / dependencies.

Current list of top-level PyPI dependencies:

#Adding a new dependency

After approving a dependency, the process to add it is:

  1. Assuming a venv is activated and requirements_dev.txt are installed.
  2. Add new dependency in requirements.in.
  3. Run pip-compile to generate requirements.txt
  4. Run pip install -r requirements.txt

#Upgrading dependencies

When a new Django version is out it’s a good idea to upgrade everything.

Steps:

  1. Assuming a venv is activated and requirements_dev.txt are installed.
  2. Run pip-compile -U to generate an upgraded requirements.txt.
  3. Run git diff requirements.txt and spot non-patch level vesion bumps.
  4. Examine release notes of each one.
  5. Unless something comes up, make sure tests and smoke tests pass.
  6. Deploy new dependency versions.