Lock files don't mesh with dynamic package version info #7533
Comments
|
@hynek have you seen |
|
I have while searching this bug tracker, but I couldn't find a way for it to affect From the documentation (and its name 🤓) I've gathered it's mostly about how caching, not about locking? And TBH it sounds to me as if adding git as a git key, I'm actually adding cache busting. |
|
I think you could pass [tool.uv]
upgrade-package = ["attrs"]But there's sort of an infinite loop here, right? Since every time you commit the lockfile, it will be outdated. So you then re-lock, and commit again, etc. I don't know how to solve this holistically. We could omit versions for editables, maybe? Or even, write "dynamic" or something for the version, for packages that have dynamic versions? |
Yeah that's what I meant in my last sentence, but I'm always assuming Chesterton's Fence. :) Setting it to |
|
I too have this problem. I generally subscribe to the philosophy that I use a VCS for versioning, thus what is in the VSC repo shouldn't track it's own version because that's what I'm using the VCS for. Said another way, at best a version tracked within repo is imperfect for exactly the reasons described above about how you can't update a version from a commit without making another commit, i.e., a new version. I'd love to understand the rationale behind storing this version in the lock file. Can anyone elaborate on that? |
|
We are also facing a similar problem over at cda-tum/mqt-core#706 where we use renovate to keep the |
|
This problem is not only for dynamic versioning. We have a release-please workflow, which will create a PR for the next release. This will update the pyproject.toml version correctly but of course does not know about the uv.lock version. |
|
As I mentioned in ttps://github.com//issues/7994 I use As a workaround, I also added |
|
I've just encountered this. We are also using release-please and uv in an internal project, after a release then the surprise is that the uv.lock was outdated. Ours plans were to add uv to https://github.com/timescale/pgai but since we are already using release-please, we are hesitant due to this issue. |
|
While the setuptools-scm case seems difficult to solve, I think another common reason1 a dynamic version is used is when the version is statically defined but not in
What I expected: version = 1
requires-python = ">=3.12"
[[package]]
name = "mpypkg"
-version = "1.0"
+version = "1.1"
source = { editable = "." }What happened: uv.lock still has I've also tried The version doesn't change until I do an unrelated Footnotes
|
|
We can fix this, but I still strongly recommend against setting the version dynamically like that. |
|
Hi @charliermarsh, you mention "inherent incompatibility of lock files and VCS-based versioning" , but you also mentioned:
To me the above workaround seems good enough, specially if it is controlled by an opt-in configuration (e.g. Is there any fundamental problem with this approach? |
|
my use case is that I use |
@charliermarsh Out of curiosity, why? |
|
I just discovered this issue with the recent release 0.5.0. Using --locked when syncing the project makes everything fails. I have a dynamic version based on git tags, and when we release we tag our repository. So the lock file can be outdated without any code change. I think excluding editable dependencies in the lock file could be a good workaround. Or we can also write "dynamic" as a version. By the way I will check what tools like poetry for example are doing in this use case. By the way I would suggest to list it in the breaking changes of the release Thanks !!! Edit: Forgot to mention, I was wondering if you already have some implementation ideas, I totally volunteer to work on this if needed. I will try a draft pull-request on my side for fun |
If references or opinion articles exist around this topic, they are few in number. I think a few on this issue would be interested in wider discussion around this. PEP 621 introduced toml metadata, and as of writing the official specification still allows It's a pretty standard paradigm (see hatch-vcs, setuptools-scm, poetry-dynamic-versioning) for single project repos where versioning, point release branches, development builds, etc. are all managed and controlled via VCS change control. Whilst alternatives exist for separating static versions (such as
My expectation for the project package that has a dynamic version ( It's worth noting that although version is defined dynamically in source control, builds of the package provide the version statically: ❯ ls -1 dist/*
dist/mypackage-0.5.0.dev5+g5d056c1-py3-none-any.whl
dist/mypackage-0.5.0.dev5+g5d056c1.tar.gz
❯ unzip -p dist/*.whl '*.dist-info/METADATA' | grep -E '^Version: '
Version: 0.5.0.dev5+g5d056c1
❯ tar -Oxf dist/*.tar.gz '*.egg-info/PKG-INFO' | grep -E '^Version: '
Version: 0.5.0.dev5+g5d056c1 |
This is just my personal opinion! Dynamic metadata makes a number of things more complicated than they need to be. I understand the use-case for scm versioning, but in my opinion using dynamic metadata to read a version from |
Unfortunately it's not super simple -- it breaks the fundamental assumption that packages have versions, so we have to take that into account everywhere. |
Yes this is what I saw this week-end when I was trying to contribute on this 🥲 Thanks! |
Not exactly, I don't think. The package always DOES have a version. It's just that the version may change outside of uv's immediate notice. Perhaps it would be fine if That said, I feel like a cleaner solution would be to omit the main package from |
By the way, this can be inverted and made more standard-compliant while doing so by putting something like this into your def __getattr__(name: str) -> str:
if name != "__version__":
msg = f"module {__name__} has no attribute {name}"
raise AttributeError(msg)
from importlib.metadata import version
return version("YOUR-PACKAGE")You get static metadata with no duplication. |
|
I have the same pain point and would like to share how many projects in the wild do Git based versioning for your information.
|
add to that:
|
|
I think #8867 released in This is textbook Hyrum's Law 😆 To share on the SCM versioning debate, I use |
|
Would it be possible to allow for this behaviour? |
|
from @charliermarsh:
Narrowing things down, this specific issue is only when you are trying to pin the version of the repository you are currently working in. No other dependency matters, editable, dynamic, or not, since Furthermore, you don't need to mark the version in So I propose something like
Side Note: Further Spooky Behavior (extra notes I'm writing for if I come back to this convo)nevermind about side note, its just #6860 + not knowing when |
|
If you're using Eg, I've added this to my # `uv` pins the version in the `uv.lock` file, but this leads to churn with each commit when using
# `hatch-vcs`. Instead, we can override the version to force stability until [1] is resolved.
#
# 1: https://github.com/astral-sh/uv/issues/7533
export SETUPTOOLS_SCM_PRETEND_VERSION="0.1.0"and then all Seems to be working fine, but I'm not sure what other ramifications it might have - at the least, it probably doesn't play as well with projects with non-python (ie: built) dependencies. edit: ah, I see |
We also want to automate the updating of the lockfile, but I think this also helps make sure that they're always in sync before merging, in case someone updates the dependency locally. The version overloading is related to this issue in uv, which is that it doesn't have an official mechanism to support dynamic versions: astral-sh/uv#7533
|
Note that neither setting package = false in [tool.uv] nor using --no-install-project addresses the issue, because it seems like the project is still included in uv.lock regardless. |
|
Here's a temporary fix for those using Copy the following code block, paste it into a file named # hatch_build.py
"""Hatchling custom metadata hook.
Temporary fix until Astral decides how to handle dynamic project versions
in the uv.lock file.
See https://github.com/astral-sh/uv/issues/7533
To enable, place this file next to and add the following line to the
pyproject.toml file:
[tool.hatch.metadata.hooks.custom]
To override, set SETUPTOOLS_SCM_PRETEND_VERSION environment variable to the
desired version before building, or set CI=1 (already set in GitHub actions)
to let hatch-vcs (using setuptools-scm) determine the version from the git tag.
"""
import os
from hatchling.metadata.plugin.interface import MetadataHookInterface
if not os.environ.get("SETUPTOOLS_SCM_PRETEND_VERSION") and not os.environ.get("CI"):
os.environ["SETUPTOOLS_SCM_PRETEND_VERSION"] = "0.dev0+local"
class CustomMetadataHook(MetadataHookInterface):
def update(self, metadata: dict) -> None:
passThis uses the Of course, feel free to set the default version to something that fits your project. |
|
The solution here is what should be preferred for |
`env SETUPTOOLS_SCM_PRETEND_VERSION=99.0 uv lock --upgrade` as per astral-sh/uv#7533 (comment)
|
I'm working on omitting dynamic versions from the lockfile: #10622 |
|
Many thanks for making this change and including it in I just recreated |
and others
Since tox-uv just shipped lock files, I took a stab at moving attrs to a fully-locked dev environment.
Here's the experiment PR: python-attrs/attrs#1349
A problem I've run into is that packages often use dynamic packaging data that is based on git metadata (setuptools-scm, hatch-vcs, etc). As such, attrs's package version changes after every commit, which allows us to upload to test PyPI and continually verify our package. See, for example, https://test.pypi.org/project/attrs/24.2.1.dev19/
Unfortunately the current project gets locked like this:
Which means it's outdated after each commit, because every commit increments the number behind
dev.Is there a way around this that I've missed? If not, could there be built one? 😇 AFAICT, this is currently the biggest blocker for FOSS use from uv's side. I'm also not sure what the point of that version lock is in the first place for the current, editable project? But that's a topic for another day. :)
The text was updated successfully, but these errors were encountered: