Hi all,
Currently taskcluster-client.py loosely pins its upstream dependencies, like
requests>=2.4.3,<3 . As long as upstream dependencies adhere to semantic
versioning, this should catch any breaking changes before they hit
downstream users.
In practice, we've found these pins prevent us from using new versions of
dependencies, and only sometimes help prevent downstream bustage. Because
treeherder and various releng repos use pyup to automatically update
dependencies, these pins add overhead on a weekly basis.
We're currently thinking about unpinning the dependencies in
taskcluster-client.py, and pushing that responsibility down to the users of
the library. This means we'll have more freedom to choose our dependency
versions, but we'll also have more responsibility to make sure those
dependency changes don't break us.
Are there any thoughts, concerns, or questions about this? If we agree, here
<
https://github.com/taskcluster/taskcluster-client.py/pull/130> is the PR
to unpin deps in taskcluster-client.py.
Some previous threads on the matter are at
https://bugzilla.mozilla.org/show_bug.cgi?id=1531021#c7 and
https://github.com/taskcluster/taskcluster-client.py/issues/87#issuecomment-468519489