Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an option to track source file changes #2069

Open
dermoth opened this issue Mar 7, 2024 · 1 comment
Open

Add an option to track source file changes #2069

dermoth opened this issue Mar 7, 2024 · 1 comment

Comments

@dermoth
Copy link

dermoth commented Mar 7, 2024

What's the problem this feature will solve?

I need a quick way to tell if requirements files need to be regenerated.

Describe the solution you'd like

The simplest solution is to keep a hash of the source file(s) in the header of the generated requirement files. That hash could be checked manually. This is particularly well-suited for individual requirements files.

For requirements from pyproject.toml, a better solution would be to generate a consistent hash of the extracted requirements, and have an option or command to only check if the generated source hash match with it's destination requirements. This method would allow unrelated pyproject.toml changes without having to regenerate the requirements and also work well with individual input files.

In our use case we commit the generated requirement files to allow predictable builds. This check could be used in PR or pre-merge tests to ensure no one has forgotten to regenerate the requirements. Users could also add a check to their own tools (eg pre-commit hook) to ensure they do not forget.

Alternative Solutions

The only alternative I can think of is to make a copy of the generated requirement files, update them then ensure they haven't been modified. This would be much slower.

Additional context

Other dependency tracking tools like Pipenv and, if I'm not mistaken, npm, also have a way to quickly detect discrepancies between the source and generated files.

If additional tampering protection is desired the hash could be generated from a combination of input and output (header with final hash excluded of course). This is not a requirement for me and although I have no issue with that per se, part of the reason I stopped using Pipenv was excessive tamper control: we had an issue (bug?) where it always updated unrelated deps and the way our internal index worked it often listed new versions that were not yet available, breaking the whole thing, and manual edits caused Pipenv to automatically regenerate it's lock file... but I'm disgressing, and it's not even something I ever had issue with using pip-tools (the update options / controls are perfect as far as I'm concerned).
@WhyNotHugo
Copy link
Member

WhyNotHugo commented Mar 7, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dermoth @WhyNotHugo