Suggestion: Replace requirements.txt with a lock file dependency manager like poetry.
CameronJGrant opened this issue · comments
I see there is a fixed requirements.txt that holds versions now but the dependencies aren't locked. While this approach works, it doesn't ensure truly reproducible builds because the exact versions of the dependencies aren't locked down.
To improve this, I suggest adopting poetry
as a dependency management tool. poetry
uses a pyproject.toml
to list dependencies in a human-readable way, and it generates a poetry.lock
file which ensures that the exact versions of dependencies are used every time the project is built. This leads to more predictable and reproducible builds.
We can also track development packages and production packages individually in the .toml.
Here are a few advantages of poetry
:
- Manages packages on a per-project basis, creating virtual environments for each project to handle dependencies separately.
- Allows easy updating of dependencies, with a single command to update all packages to their latest version.
- Better conflict resolution when different packages require different versions of the same dependency.
- Easier publishing of your own packages to PyPI.
I agree.