Fixing versions of package dependencies

[phcorp]

Problem

No dependencies have their versions specified (except for saxonche) in requirements.txt. There is no guarantee that Dapytains will continue to work with higher versions of its dependencies. There is also a security risk since no package fingerprints are recorded.

To remedy this, some dependency managers generate a lock file. This is not the case with pip.

So I wonder if the dependency manager should be changed.

Possible solutions

Poetry is used for DTS validation action. Poetry allows to fix the versions of dependencies in a poetry.lock file. Perhaps it could be used as the default dependency manager?

PDM seems to be a dependency manager that better complies with standards. It looks also very suitable.

[PonteIneptique]

Hi @phcorp,
As I use neither, what would you recommend ? I understand their point, I am just not invested in this kind of larger control :)

Re requirements.txt, I think we can pin main version, but not minor / bugfixes, as my experience is that overtime, it makes maintaining a headache.

[phcorp]

@PonteIneptique Hi!
Me neither, IMHO it depends on the support commitment of the project and on the python version(s) requirements that remain to be defined. By doing so it should ease the maintaining headache.
AFAIK PDM is a pretty strong solution. Not being a regular Python developer, I am unsure about this choice and I prefer to defer to more experienced developers.