-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion: new command to bump versions of dependencies in pyproject.toml
#461
Comments
It's a bit dangerous to upgrade everything to the last version. you might introduce many bugs doing this, without knowing where it comes from. Anyway I also do this 😆
Maybe |
I agree; I only used ‘upgrade’ because I couldn’t think of something better
:)
It could also be added to ‘poetry add’ (either with or without a flag);
currently that command just errors if you try to use it on a package that’s
already in your dependencies.
…On Tue, 2 Oct 2018 at 18:52, jgirardet ***@***.***> wrote:
It's a bit dangerous to upgrade everything to the last version. you might
introduce many bugs doing this, without knowing where it comes from.
Anyway I also do this 😆
upgrade is very confusing with the update command.
We could have acommand per package and for all.
Maybe --reset-dependency package_name or/and --reset-dependency-all would
be less confusing.
or : --find-latest, --upgrade-to-latest,--force-latest
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#461 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAc7aLMzza48JHvRq92e6REbrmtJqsAzks5ugzAzgaJpZM4XDWit>
.
|
I'll put a PR if @sdispater accepts the idea |
The JS package managers make |
@miracle2k For example, if you In other words, when adding a package it uses the same caret prefix that If you @jgirardet In other words, if you have For wildcard (*) and gt, gte, lt and lte deps this behavior doesn't make sense, but caret and tilde requirements are by far the most commonly used. |
If you make a script like this one at the root of the repo, make it executable, and run it with python3.7, it'll print the contents of #!/usr/local/bin/python3.7
from typing import cast, Dict
import toml
import subprocess
def update_deps(name: str, version: str, t: Dict) -> Dict:
def update(deps: Dict) -> None:
for key in deps:
v = deps[key]
if type(v) is str and name.lower() == key.lower() and v[0] in ("~", "^"):
deps[key] = f"{v[0]}{version}"
update(t['tool']['poetry']['dependencies'])
update(t['tool']['poetry']['dev-dependencies'])
return t
with open('./pyproject.toml', 'r') as f:
t = cast(Dict, toml.loads(f.read()))
output = subprocess.run(["poetry", "show"], capture_output=True)
lines = cast(str, output.stdout.decode()).split('\n')
for line in filter(lambda l: bool(l), lines):
name, version, *_ = line.split()
t = update_deps(name, version, t)
print(toml.dumps(t)) This is a goofy implementation that uses I think something like this happen after |
If I also think that |
If you use the latest beta release of the poetry add pendulum@latest
poetry add pendulum@^2.0.5 See #1221 for more information. |
@sdispater But what about updating all dependencies at once? Can we reopen this? |
It is a bit tedious to go over all of them manually. |
While the command mentioned by @sdispater is nice, it doesn't go all the way to solving the problem talked about in this issue since you still have to go one by one and check each package. |
I thinks the request about an |
This would be a very useful addition. There's a tool for Node.js called npm-check-updates that might give some inspiration. I agree that an |
npm also has
which is nice. reason being, is tools like dependabot keep it up to date, one by one, but, branches don't currently work w/ the poetry lock file since the hash line conflicts. |
This is something I need almost daily. I have a lot of projects that I want to keep up to date and Poetry is currently very cumbersome with that task. My ideal situation would be to have just one command to upgrade one or all dependencies (not at all interested bikeshedding about what that command would look like). So, a very big +1 from me for this feature. Also, it would probably be a good idea to document a suggested workaround/way to do this before we have the command. Using |
Maybe you should consider to plug in @dependabot |
I do use Dependabot on projects that are on GitHub and Snyk on GitLab whenever I can, but I really wouldn't like to rely on third-party tools for something my package manager should handle. I mean, handling packages (dependencies) is literally the only thing I need the tool for. |
@max-wittig Frankly, if someone needs to do such operation to all dependencies at once, they probably don't care about these constraints, and will be fine with no constraints (i.e. using "*" instead of "^1.2.3"), with that |
@taketa Not really because that's something you may want to do on a regular basis weekly/monthly while making sure in the meantime nothing breaks because of a dependency change you haven't noticed and break something in production. |
@max-wittig poetry update supposed to observe constraints in pyproject.toml ^1.2.3 allows to update to 1.3.4 but not too 2.3.4 (^ is more complex than that, but this is a ghist), if you use * there is no constraints. |
@takeda if I understand correctly, you would set the version to What this issue is aiming for is to keep the Thank you for the workaround though, it might work for my project. |
@Natim yes, exactly. The reason for the constraints in pyproject.toml is to define such constraints that guarantee API compatibility. Different authors have different ways they version their packages (for example if you use pytz, you probably want to have * there for it, since API never changes and your always want the latest time zone information) so that's where you use ^ and ~ (and also <, >, * more here: https://python-poetry.org/docs/dependency-specification/) to specify what versions are compatible with your application. If you have to do mass update that ignores these constraints, you aren't using them as intended. |
Automatically via script in python-poetry/poetry#461 (comment)
Interesting request. Such a command would be great! |
Thank you @IceTDrinker very useful although it deletes extras dependencies |
yes I've made that discovery as well 😅 if you have something for it I would gladly take it :) |
@MousaZeidBaker looks brilliant - thank you for sharing! An option to --exclude certain packages would be nice. As a workaround, to do this i'm using However, sometimes I'll want to continue with minor/patch fixes within a major release and avoid skip_exact. So --exclude <PACKAGE_NAMES> would work well there. |
I think it could be useful to collaborate on this across ecosystems as consistency will help in understandability for users. I'm in a similar boat trying to figure out how to add first-party version-requirement upgrades to We have a collection of third-party plugins for editing the cargo manifest that I'm slowly moving into cargo, the first being You can see my very rough notes on |
For some reason I hadn't looked at A subset of cargo-upgrade's output to compare with the above poetryup screenshot
I've collected user care abouts in our thread on this topic but one in particular I want to highlight is
We don't support this yet but I'm experimenting with this with Renovate (a more advanced Dependabot). With our current CLI, I would expect this to be |
With the announcement of Install the poetry self add poetry-plugin-up Usage: poetry up --help For more details visit poetry-plugin-up |
Have the need for bumping my |
Up doesn't seem to work correctly (at least for me): MousaZeidBaker/poetry-plugin-up#48. Does it actually handle conflicts or just updates to the latest available versions? |
@domoritz The documentation says that |
I recently created a Python3 script to update all Poetry packages to their latest version while preserving extras and dependency groups. Check it out here |
Consider an old application with a minimal feature set that can easily be tested manually. By not having a |
This feature is open 6 years now, and people are still commenting. It's something that clearly the community needs. |
Right now we use dependabot and renovate as an external weekly service that opens PR automatically with related updates. |
Issue
It would be awesome if Poetry had a command (let's call it
upgrade
) that bumped the version constraints of dependencies inpyproject.toml
(as opposed toupdate
, which afaict updates the lock file to the newest version within the constraint specified inpyproject.toml
).Some examples for how this command could behave:
poetry upgrade django
: Upgrade Django to the newest version that still works with other dependencies; equivalent topoetry remove django; poetry add django
.poetry upgrade django djangorestframework
: As above, but with more than one package at a time.poetry upgrade django=^2.1
: Set the version ofdjango
to^2.1
, equivalent topoetry remove django; poetry add django=^2.1
.poetry upgrade
: Upgrade every dependency to the newest possible version. Equivalent to deleting the entire[tool.poetry.dependencies]
section ofpyproject.toml
and runningpoetry add
with a list of the names (but not versions) of every package previously in the list. (This one would be good for cookiecutter templates for projects, to make it easy to start a new project with the latest versions of everything.)Currently, when I want to bump the version of something, I'm either running
poetry remove ...; poetry add ...
which moves the package to the bottom of the list inpyproject.toml
, and results in uninstalling a bunch of dependencies which sometimes just get reinstalled again at the same version; or I'm manually editingpyproject.toml
which means I have to look up the latest version manually, and I can't use Poetry's version resolution when I want to upgrade more than one package at a time.The text was updated successfully, but these errors were encountered: