You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This package is a vendor widely used by `sgtk` to parse configuration files
6
-
in YAML format.
5
+
The `requirements` folder contains subdirectories for different Python versions (e.g., `3.7`, `3.9`, `3.10`, and `3.11`). Each subdirectory includes the following files:
7
6
8
-
This package is shipped in source format, that means that only `*.py` are
9
-
included in `python/tank_vendor/yaml`.
7
+
-**`requirements.txt`**: Specifies the dependencies for the corresponding Python version. This file is primarily used to document which packages are required for the application.
8
+
-**`frozen_requirements.txt`**: A frozen version of the dependencies, capturing exact package versions installed, including sub-dependencies, to ensure consistent and reproducible environments.
9
+
-**`pkgs.zip`**: A zip file containing the bundled packages for the corresponding Python version.
10
10
11
-
If you need to upgrade this package you can use the script `upgrade_pyyaml.py`.
11
+
### How bundled packages are used
12
12
13
-
```shell
14
-
cd tk-core/developer
15
-
python upgrade_pyyaml.py
16
-
```
13
+
The `__init__.py` file in the `tank_vendor` folder dynamically references and loads packages from the appropriate `pkgs.zip` file in the `requirements` folder.
14
+
15
+
This approach centralizes the management of dependencies, ensuring that packages are versioned and bundled consistently across different Python versions.
16
+
17
+
### Updating and creating bundled packages
18
+
19
+
The `requirements/update_python_packages.py` script automates the creation and maintenance of the `pkgs.zip` file.
20
+
21
+
#### Workflow:
22
+
23
+
1. Update the `requirements.txt` file for the desired Python version.
24
+
2. Run the `requirements/update_python_packages.py` script to:
25
+
- Install the specified dependencies in a temporary directory.
26
+
- Create or update the `pkgs.zip` file with the required packages.
27
+
- Generate the `frozen_requirements.txt` file for consistency.
28
+
3. Validate that the `pkgs.zip` file contains all necessary packages and matches the updated requirements.
Then, let's remove all undesired directories and files, just leave the `ruamel` directory.
30
42
We can automate this task later.
31
43
32
-
## The requirements.txt file
44
+
### Maintaining dependencies
45
+
46
+
When adding new dependencies or updating existing ones:
47
+
1. Update the `requirements.txt` file for the corresponding Python version.
48
+
2. Regenerate the `pkgs.zip` and `frozen_requirements.txt` files using `requirements/update_python_packages.py`.
49
+
3. Ensure the `pkgs.zip` file includes all necessary packages and modules.
50
+
51
+
### Automated CVE checks
52
+
53
+
The `frozen_requirements.txt` files enable automated checks for vulnerabilities (CVEs) in the bundled packages. These files capture the exact versions of dependencies included in the `pkgs.zip` files, ensuring the application remains secure by providing visibility into potential vulnerabilities.
54
+
55
+
### Notes
33
56
34
-
The file `developer/requirements.txt` is not used to install any packages,
35
-
however exists so that automated checks for CVEs in dependencies will know about
36
-
bundled packages in `python/tank_vendor`.
57
+
The dynamic loading mechanism in `tank_vendor/__init__.py` ensures that bundled packages are accessed seamlessly from the `pkgs.zip` files, reducing duplication and simplifying dependency updates.
37
58
38
-
For this reason, it's important to add any newly bundled packages to this file,
39
-
and to keep the file up to date if the bundled version of a module changes.
59
+
Careful attention to package structure and appropriate import mechanisms will help avoid runtime issues and ensure smooth integration of new dependencies.
0 commit comments