Poetry
Replies: 1 comment 2 replies
-
|
I wonder if such a setting should be part of the pyproject.toml or if it should be a configuration setting. I tend towards the latter. This has the advantage that you just have to set it once and it affects all your projects. |
Beta Was this translation helpful? Give feedback.
-
|
I generally like the this idea. We had exactly this discussion at work some days ago. My first impression was also that it should be configuration setting for Poetry itself. But the more I think about it, I think it should be part of the Also updating dependencies is often done by a bot like renovate. Having the configuration within the |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, both places have their advantages and disadvantages. If it is part of the pyproject.toml nobody can forget it for this specific project but you are not "safe" if you update another project or create a new one to quickly try something. If it is a configuration setting, you are "safe" no matter which project you update. However, as you said everybody has to set it to be "safe". |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
There's been a lot of discussion about supply chain attacks recently, and while much of that has been focused on NPM, that class of attack is hardly unknown on PyPI. One feature which several JavaScript package managers and uv have been adding is the ability to install updates but exclude versions of packages which are less than a certain number of hours old to give the community time to detect a malicious or simply broken release.
I think this would be a useful addition to
poetry update. Thepnpmmodel with bothminimumReleaseAgeandminimumReleaseAgeExcludeto override seems like a good balance for protecting users by default without giving up the ability to install an urgently-needed update when necessary.Beta Was this translation helpful? Give feedback.
All reactions