我应该固定我的 Python 依赖项版本吗?

问题描述

我即将发布一个我过去几周一直在研究的 Python 库.我已经阅读了很多关于 Python 依赖项的内容,但还不太清楚:

I am about to release a Python library I've been working on the past few weeks. I've read a lot about Python dependencies but something is not quite clear yet:

有些人假装你应该从不固定你的依赖版本,因为它会阻止你的库的用户升级这些依赖.

Some people pretend you should never pin your dependencies versions as it would prevent the users of your library from upgrading those dependencies.

其他一些人声称您应该始终固定您的依赖项版本,因为这是保证您的版本按照开发时的方式工作并防止发生重大更改的唯一方法依赖项会对您的库造成严重破坏.

Some other claim that you should always pin your dependencies versions as it is the only way of guaranteeing that your release works the way it did when you developped it and to prevent that a breaking change in a dependency wreaks havoc in your library.

我不知何故选择了混合解决方案,我假设我的依赖项使用了 语义版本控制 并且只固定了主要版本号(比如 somelib >= 2.3.0, < 3)除非主要版本号是 0 (语义版本控制规定此类版本将被视为易失性并且可能会破坏 API,即使只是补丁号被碰撞).

I'm somehow went for an hybrid solution, where I assumed my dependencies used semantic versioning and pinned only the major version number (say somelib >= 2.3.0, < 3) except when the major version number is 0 (semantic versioning dictates that such versions are to be considered volatile and may break the API even if only the patch number is bumped).

到目前为止,我不确定哪种方式最好.是否有官方指南(甚至可能是 PEP?)规定了有关 Python 依赖项的最佳实践以及如何指定它们?

As of now, I'm not sure which way is the best. Is there an official guideline (even a PEP perhaps ?) that dictates the best practice regarding Python dependencies and how to specify them ?


解决方案

您应该始终固定您的依赖项,因为它增加了安全、可重复构建的可能性,即使随着时间的推移.固定版本是您作为包维护者的声明,您已验证您的代码在给定环境中工作.这有一个很好的副作用,可以保持您的理智,因为您不会被错误报告所淹没,在这些错误报告中,您必须对每个包的依赖关系和系统细节进行检查.

You should always pin your dependencies as it increases the possibility of safe, repeatable builds, even as time passes. The pinned versions are your declaration as a package maintainer that you've verified that your code works in a given environment. This has a nice side effect of preserving your sanity as you won't be inundated with bug reports in which you have to play inspector into every package codependency and system detail.

用户始终可以选择忽略固定的依赖版本,并自行承担风险.但是,当您发布新版本的库时,您应该更新依赖项版本以进行改进和错误修复.

Users can always choose to ignore the pinned dependency-versions and do so at their own risk. However, as you release new versions of your library, you should update your dependency versions to take in improvements and bug fixes.

PEP 426 关于语义依赖的部分 (Python 软件包的元数据)状态:

The section of PEP 426 about Semantic dependencies (Metadata for Python Software Packages ) states:

依赖管理严重依赖于PEP 440 中定义的版本标识和规范方案(PEP 440 - 版本标识和依赖规范)."

"Dependency management is heavily dependent on the version identification and specification scheme defined in PEP 440 (PEP 440 - Version Identification and Dependency Specification)."

据此,我推断权威的最佳实践"是对您的依赖项进行版本控制,因为 PEP 与打包的关系被称为高度依赖"相关 PEP 概述的版本控制细节.

From this, I infer that the authoritative "best practice" is to version your dependencies, as the relationship of the PEP on packaging is stated to be "heavily dependent" on the versioning details outlined by the related PEP.

相关文章