Dependencies

Dependency Policy

The mataroa project has an unusually strict yet usually unclear dependency policy.

Vague rules include:

  • No third-party Django apps.
  • All Python / PyPI packages should be individually vetted.
    • Packages should be published from community-trusted organisations or developers.
    • Packages should be actively maintained (though not necessarily actively developed).
    • Packages should hold a high quality of coding practices.
  • No JavaScript libraries / dependencies.

Current list of top-level PyPI dependencies (source at pyproject.toml):

Adding a new dependency

After approving a dependency, add it using uv:

  1. Ensure uv is installed and a virtualenv exists (managed by uv).
  2. Add the dependency to pyproject.toml and lockfile with:
    • Runtime: uv add PACKAGE
    • Dev-only: uv add --dev PACKAGE
  3. Install/sync dependencies: uv sync

Upgrading dependencies

When a new Django version is out it’s a good idea to upgrade everything.

Steps:

  1. Update the lockfile: uv lock --upgrade
  2. Review changes: git diff uv.lock and spot non-patch level version bumps.
  3. Examine release notes of each one.
  4. Install updated deps: uv sync
  5. Unless something comes up, make sure tests and smoke tests pass.
  6. Deploy new dependency versions.