Dependencies
Dependency Policy
The mataroa project has an unusually strict yet usually unclear dependency policy.
Vague rules include:
- No third-party Django apps.
- All Python / PyPI packages should be individually vetted.
- Packages should be published from community-trusted organisations or developers.
- Packages should be actively maintained (though not necessarily actively developed).
- Packages should hold a high quality of coding practices.
- No JavaScript libraries / dependencies.
Current list of top-level PyPI dependencies (source at pyproject.toml
):
Adding a new dependency
After approving a dependency, add it using uv
:
- Ensure
uv
is installed and a virtualenv exists (managed byuv
). - Add the dependency to
pyproject.toml
and lockfile with:- Runtime:
uv add PACKAGE
- Dev-only:
uv add --dev PACKAGE
- Runtime:
- Install/sync dependencies:
uv sync
Upgrading dependencies
When a new Django version is out it’s a good idea to upgrade everything.
Steps:
- Update the lockfile:
uv lock --upgrade
- Review changes:
git diff uv.lock
and spot non-patch level version bumps. - Examine release notes of each one.
- Install updated deps:
uv sync
- Unless something comes up, make sure tests and smoke tests pass.
- Deploy new dependency versions.