Dependencies

Dependency Policy

The mataroa project has an unusually strict yet usually unclear dependency policy.

Vague rules include:

• No third-party Django apps.
• All Python / PyPI packages should be individually vetted.
  • Packages should be published from community-trusted organisations or developers.
  • Packages should be actively maintained (though not necessarily actively developed).
  • Packages should hold a high quality of coding practices.
• No JavaScript libraries / dependencies.

Current list of top-level PyPI dependencies (source at requirements.in):

• Django
• psycopg2-binary
• gunicorn
• Markdown
• Pygments
• bleach
• stripe

Adding a new dependency

After approving a dependency, the process to add it is:

1. Assuming a venv is activated and requirements.dev.txt are installed.
2. Add new dependency in requirements.in.
3. Run pip-compile to generate requirements.txt
4. Run pip install -r requirements.txt

Upgrading dependencies

When a new Django version is out it’s a good idea to upgrade everything.

Steps:

1. Assuming a venv is activated and requirements.dev.txt are installed.
2. Run pip-compile -U --no-strip-extras to generate an upgraded requirements.txt.
3. Run git diff requirements.txt and spot non-patch level vesion bumps.
4. Examine release notes of each one.
5. Unless something comes up, make sure tests and smoke tests pass.
6. Deploy new dependency versions.