{"id":19729502,"url":"https://github.com/cloud-custodian/poetry-plugin-freeze","last_synced_at":"2025-04-09T11:09:46.526Z","repository":{"id":118710398,"uuid":"610270489","full_name":"cloud-custodian/poetry-plugin-freeze","owner":"cloud-custodian","description":"poetry plugin to freeze dependency versions in wheels","archived":false,"fork":false,"pushed_at":"2025-02-13T22:51:15.000Z","size":203,"stargazers_count":25,"open_issues_count":1,"forks_count":5,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-04-02T10:12:44.538Z","etag":null,"topics":["poetry","poetry-plugin","poetry-python"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloud-custodian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-06T12:47:07.000Z","updated_at":"2025-02-13T22:49:17.000Z","dependencies_parsed_at":"2024-02-28T00:26:12.794Z","dependency_job_id":"065001d1-d2e4-42d3-a244-b46457f11419","html_url":"https://github.com/cloud-custodian/poetry-plugin-freeze","commit_stats":{"total_commits":8,"total_committers":2,"mean_commits":4.0,"dds":0.125,"last_synced_commit":"b6f81ea159b1b243ab879c88ed4b5361d08e1da4"},"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-custodian%2Fpoetry-plugin-freeze","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-custodian%2Fpoetry-plugin-freeze/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-custodian%2Fpoetry-plugin-freeze/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-custodian%2Fpoetry-plugin-freeze/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloud-custodian","download_url":"https://codeload.github.com/cloud-custodian/poetry-plugin-freeze/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248027408,"owners_count":21035594,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["poetry","poetry-plugin","poetry-python"],"created_at":"2024-11-12T00:12:39.186Z","updated_at":"2025-04-09T11:09:46.497Z","avatar_url":"https://github.com/cloud-custodian.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Freeze Wheel Plugin\n\nPoetry plugin for creating frozen wheels using lockfiles.\n\n## Why\n\nA common issue when publishing a Python application's release into PyPI, is whether or not the dependencies specified will continue to work over time. This tends to happen due to a confluence of reasons, poor dependency specification, bad observance of semantic versioning, or poor release management by the dependency. That translates to a reality where installing an older release of the application is unlikely to work, due to changes in the underlying dependency graph.\n\nThe dependency ecosystem is both complex and fragile. The emergence of lock files to ensure repeatability is testimony both to the problem and one solution. Yet when we go to publish in the packaging ecosystem we do so with non frozen dependencies specifications not with lockfiles. That means the testing pipelines that goes to produce and validate a release is against a lockfile but the release artifact is divorced of the lockfile contents, and starts to diverge from the moment of publication.\n\nThe various language package distribution channels (npm, pypi, rubygems, etc) are used for two different primary distribution purposes, for both libraries and applications. Generally speaking the extant behavior is reasonable for a library. Libraries should be relatively liberal on their own dependencies baring perhaps major versions to minimize conflicts for applications depending on them and ideally consist of minimal dependencies graphs. But for applications distribution, repeatable and verifyable installs are fundamental goals with potentially large dependency graphs. Using a frozen dependency graph versus version specifications is the only way to ensure repeatiblity of installation over time. Fundamentally the two different distribution purposes have different audiences, ie.  libraries have developers and applications as consumers, applications have users as consumers.\n\n## What\n\nA post build / pre publish command to allow for creating wheels with frozen dependencies. Basically we update wheel metadata for Requires-Dist to replace the pyproject.toml based version specification to a frozen (ie. ==version) one based on the version from the poetry lock information.\n\n\nNote we can't use poetry to publish because the frozen wheel because it uses metadata from pyproject.toml instead\nof frozen wheel metadata.\n\n### Optional Dependencies\n\nFrozen wheel metadata will contain [Provides-Extra](https://packaging.python.org/en/latest/specifications/core-metadata/#provides-extra-multiple-use) entries for any [extra / optional dependencies](https://packaging.python.org/en/latest/specifications/declaring-project-metadata/#dependencies-optional-dependencies). Frozen [Requires-Dist](https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata-requires-dist) lines will specify `extra` names _for packages that appear only in the optional/extra dependency graph.\n\nIf a package appears as both a nested \"main\" dependency and also as an \"extra\" dependency, its `Requires-Dist` entry in the frozen wheel _will not_ specify an extra name.\n\nTo define this behavior in relation to poetry's [export plugin](https://github.com/python-poetry/poetry-plugin-export/), these two flows should result in the same installed package set:\n\n```console\n# Export Flow\npoetry export -f requirements.txt \u003e requirements.txt \u0026\u0026 pip install -r requirements.txt\n\n# Freeze-wheel Flow\npoetry build \u0026\u0026 poetry freeze-wheel \u0026\u0026 pip install my_frozen_wheel\n```\n\nAnd introducing extras:\n\n```console\n# Export Flow\npoetry export --extras gcp -f requirements.txt \u0026\u0026 pip install -r requirements.txt\n\n# Freeze-wheel Flow\npoetry build \u0026\u0026 poetry freeze-wheel \u0026\u0026 pip install my_frozen_wheel[gcp]\n```\n\nThe difference is in when to choose which extras to install - `export` does that at freeze time. `freeze-wheel` embeds the extra _context_ at freeze time, but defers the actual extra selection until install time.\n\n## Usage\n\n```shell\n# install plugin\npoetry self add poetry-plugin-freeze\n\n# build per normal\npoetry build\n\n# add freeze step\npoetry freeze-wheel\n\n# avoid freezing specific packages\npoetry freeze-wheel --exclude boto3 -e attrs\n\n# Note we can't use poetry to publish because it uses metadata from pyproject.toml instead\n# of frozen wheel metadata.\n\n# publish per normal\ntwine upload dist/*.whl\n```\n\n## Mono-Repo Support\n\nTo support mono repos consisting of multiple libraries/applications, when creating a frozen wheel, main group dependencies specified by path can be optionally substituted out for references to their release artifact versions.\n\nThis assumes automation to run build and publish across the various subpackages, ie typically via make or just.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-custodian%2Fpoetry-plugin-freeze","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloud-custodian%2Fpoetry-plugin-freeze","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-custodian%2Fpoetry-plugin-freeze/lists"}