"A lock file is meant to record all the dependencies your code needs to work along with how to install those dependencies. That involves The "how" is source trees, source distributions (aka sdists), and wheels. With all of these forms, the trick is recording the right details in order to know how to install code in any of those three forms. Luckily we already had the direct_url.json specification that just needed translation into TOML for source trees."
"The much trickier part is figuring what to install when. For instance, let's consider where your top-level, direct dependencies come from. In pyproject.toml there's project.dependencies for dependencies you always need for your code to run, project.optional-dependencies (aka extras), for when you want to offer your users the option to install additional dependencies, and then there's dependency-groups for dependencies that are not meant for end-users (e.g. listing your test dependencies)."
A lock file records all dependencies a project needs and the exact methods to install them. Installation formats include source trees, source distributions (sdists), and wheels, each requiring metadata to reproduce installations. The direct_url.json format served as a model for recording source-tree locations and could be translated into TOML. Sdists and wheels are represented by the metadata exposed by an index server for a release. Dependency declarations live in project.dependencies, project.optional-dependencies (extras), and dependency-groups for non-end-user needs. Version and platform specifiers control applicability and bounds. Combining these rules produces a dependency graph whose edges determine applicability per environment, creating specification complexity that required years to resolve.
Read at Tall, Snarky Canadian
Unable to calculate read time
Collection
[
|
...
]