[Pulp-dev] Pinning dependencies in Pulp 3

David Davis daviddavis at redhat.com
Fri Jul 26 15:37:37 UTC 2019

Recently, Pulp 3 package installs were broken by a new version of DRF which
necessitated a new release of pulpcore (RC4)[0]. Our releases are fragile
and unstable because they don't pin versions of dependencies.

I was thinking of a new strategy whereby we pin pulpcore's dependencies to
specific versions (either y or z releases) and we use something like
dependabot[1] to notify us of new updates for pulpcore dependencies. It
looks like it'll open new PRs when it detects a dependency is out of date.

The one downside I do see is that dependabot PRs could be ignored. However,
I think the stability of our releases outweighs this potential risk
especially as we get closer to GA.


[0] https://www.redhat.com/archives/pulp-dev/2019-July/msg00076.html
[1] https://dependabot.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20190726/7125a188/attachment.htm>

More information about the Pulp-dev mailing list