PEP 735 – Dependency Groups in pyproject.toml | peps.python.org
peps.python.org
This PEP specifies a mechanism for storing package requirements in pyproject.toml files such that they are not included in any built distribution of the project.

PEP 735 what is it’s goal? Does it solve our dependency hell issue?

A deep dive and out comes this limitation

The mutual compatibility of Dependency Groups is not guaranteed.

https://peps.python.org/pep-0735/#lockfile-generation

Huh?! Why not?

mutual compatibility or go pound sand!

pip install -r requirements/dev.lock
pip install -r requirements/kit.lock -r requirements/manage.lock

The above code, purposefully, does not afford pip a fighting chance. If there are incompatibilities, it’ll come out when trying randomized combinations.

Without a means to test for and guarantee mutual compatibility, end users will always find themselves in dependency hell.

Any combination of requirement files (or dependency groups), intended for the same venv, MUST always work!

What if this is scaled further, instead of one package, a chain of packages?!

  • logging_strictOP
    1·
    3 days ago

    As the quantity and relationships complexity increases so to does the need for management tools to deal with the chaos.

    Most Python coders cope by keeping things overly simple. Avoiding complexity at all costs.

    Do you fully embrace requirement file complexity or do you avoid it?

    1. assume one venv

    2. has no way to deal with unavoidable incompatibilities

    Which maybe due to: a package becoming unmaintained or overly zealous limiting allowed versions

    1. has no way to adapt to security vulnerabilities (e.g. CVE-2024-9287)

    2. has no intelligent way to normalize both direct and transitive dependency versions across lock files