chore: remove transitive deps from release-requirements.txt #470
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Was puzzled why Dependabot keeps bumping urllib3 when requirements.txt is empty and the code only uses stdlib. Turns out release-requirements.txt has been a full pip freeze for a long time. Its been tracking ~40 packages when the release only directly use 9.
Things like urllib3, requests, certifi are just transitive deps from twine. Given pip resolves them automatically anyway, tracking them individually IMHO is creating noise. Plus it does not add much value as the tools are only used for release so the chance of a transitive dep breaking anything is very low and won't have any unknown impact if it does (release would fail).
Change the list to direct deps only. Should cut Dependabot PR work by a lot.