mirror of
https://github.com/netbox-community/netbox.git
synced 2026-01-11 21:10:29 +01:00
pin *all* dependencies in requirements.txt #3348
Closed
opened 2025-12-29 18:28:05 +01:00 by adam
·
8 comments
No Branch/Tag Specified
main
update-changelog-comments-docs
feature-removal-issue-type
20911-dropdown
20239-plugin-menu-classes-mutable-state
21097-graphql-id-lookups
feature
fix_module_substitution
20923-dcim-templates
20044-elevation-stuck-lightmode
feature-ip-prefix-link
v4.5-beta1-release
20068-import-moduletype-attrs
20766-fix-german-translation-code-literals
20378-del-script
7604-filter-modifiers-v3
circuit-swap
12318-case-insensitive-uniqueness
20637-improve-device-q-filter
20660-script-load
19724-graphql
20614-update-ruff
14884-script
02496-max-page
19720-macaddress-interface-generic-relation
19408-circuit-terminations-export-templates
20203-openapi-check
fix-19669-api-image-download
7604-filter-modifiers
19275-fixes-interface-bulk-edit
fix-17794-get_field_value_return_list
11507-show-aggregate-and-rir-on-api
9583-add_column_specific_search_field_to_tables
v4.5.0
v4.4.10
v4.4.9
v4.5.0-beta1
v4.4.8
v4.4.7
v4.4.6
v4.4.5
v4.4.4
v4.4.3
v4.4.2
v4.4.1
v4.4.0
v4.3.7
v4.4.0-beta1
v4.3.6
v4.3.5
v4.3.4
v4.3.3
v4.3.2
v4.3.1
v4.3.0
v4.2.9
v4.3.0-beta2
v4.2.8
v4.3.0-beta1
v4.2.7
v4.2.6
v4.2.5
v4.2.4
v4.2.3
v4.2.2
v4.2.1
v4.2.0
v4.1.11
v4.1.10
v4.1.9
v4.1.8
v4.2-beta1
v4.1.7
v4.1.6
v4.1.5
v4.1.4
v4.1.3
v4.1.2
v4.1.1
v4.1.0
v4.0.11
v4.0.10
v4.0.9
v4.1-beta1
v4.0.8
v4.0.7
v4.0.6
v4.0.5
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.7.8
v3.7.7
v4.0-beta2
v3.7.6
v3.7.5
v4.0-beta1
v3.7.4
v3.7.3
v3.7.2
v3.7.1
v3.7.0
v3.6.9
v3.6.8
v3.6.7
v3.7-beta1
v3.6.6
v3.6.5
v3.6.4
v3.6.3
v3.6.2
v3.6.1
v3.6.0
v3.5.9
v3.6-beta2
v3.5.8
v3.6-beta1
v3.5.7
v3.5.6
v3.5.5
v3.5.4
v3.5.3
v3.5.2
v3.5.1
v3.5.0
v3.4.10
v3.4.9
v3.5-beta2
v3.4.8
v3.5-beta1
v3.4.7
v3.4.6
v3.4.5
v3.4.4
v3.4.3
v3.4.2
v3.4.1
v3.4.0
v3.3.10
v3.3.9
v3.4-beta1
v3.3.8
v3.3.7
v3.3.6
v3.3.5
v3.3.4
v3.3.3
v3.3.2
v3.3.1
v3.3.0
v3.2.9
v3.2.8
v3.3-beta2
v3.2.7
v3.3-beta1
v3.2.6
v3.2.5
v3.2.4
v3.2.3
v3.2.2
v3.2.1
v3.2.0
v3.1.11
v3.1.10
v3.2-beta2
v3.1.9
v3.2-beta1
v3.1.8
v3.1.7
v3.1.6
v3.1.5
v3.1.4
v3.1.3
v3.1.2
v3.1.1
v3.1.0
v3.0.12
v3.0.11
v3.0.10
v3.1-beta1
v3.0.9
v3.0.8
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.11.12
v3.0-beta2
v2.11.11
v2.11.10
v3.0-beta1
v2.11.9
v2.11.8
v2.11.7
v2.11.6
v2.11.5
v2.11.4
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.10
v2.10.9
v2.11-beta1
v2.10.8
v2.10.7
v2.10.6
v2.10.5
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.11
v2.10-beta2
v2.9.10
v2.10-beta1
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.9-beta2
v2.8.9
v2.9-beta1
v2.8.8
v2.8.7
v2.8.6
v2.8.5
v2.8.4
v2.8.3
v2.8.2
v2.8.1
v2.8.0
v2.7.12
v2.7.11
v2.7.10
v2.7.9
v2.7.8
v2.7.7
v2.7.6
v2.7.5
v2.7.4
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.12
v2.6.11
v2.6.10
v2.6.9
v2.7-beta1
Solcon-2020-01-06
v2.6.8
v2.6.7
v2.6.6
v2.6.5
v2.6.4
v2.6.3
v2.6.2
v2.6.1
v2.6.0
v2.5.13
v2.5.12
v2.6-beta1
v2.5.11
v2.5.10
v2.5.9
v2.5.8
v2.5.7
v2.5.6
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.9
v2.5-beta2
v2.4.8
v2.5-beta1
v2.4.7
v2.4.6
v2.4.5
v2.4.4
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.7
v2.4-beta1
v2.3.6
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.10
v2.3-beta2
v2.2.9
v2.3-beta1
v2.2.8
v2.2.7
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.6
v2.2-beta2
v2.1.5
v2.2-beta1
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.10
v2.1-beta1
v2.0.9
v2.0.8
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v2.0-beta3
v1.9.6
v1.9.5
v2.0-beta2
v1.9.4-r1
v1.9.3
v2.0-beta1
v1.9.2
v1.9.1
v1.9.0-r1
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.3
v1.7.2-r1
v1.7.1
v1.7.0
v1.6.3
v1.6.2-r1
v1.6.1-r1
1.6.1
v1.6.0
v1.5.2
v1.5.1
v1.5.0
v1.4.2
v1.4.1
v1.4.0
v1.3.2
v1.3.1
v1.3.0
v1.2.2
v1.2.1
v1.2.0
v1.1.0
v1.0.7-r1
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3-r1
v1.0.3
1.0.0
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: starred/netbox#3348
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @candlerb on GitHub (Feb 19, 2020).
Environment
Proposed Functionality
In my opinion, netbox should pin the version of all packages it uses - not just direct dependencies but all descendant dependencies as well.
Use Case
People are repeatedly running into issues where Netbox breaks because a child or grandchild dependency package is at an unexpected version.
I personally hit it in #3460. I hit it again with PyYAML installing the wrong version under Ubuntu 16.04. However there are numerous recent cases in google groups where people have broken systems and the fixes involve upgrading or downgrading random packages (e.g. markdown, django-restframework).
I think Netbox has become unsupportable unless one of two things happen:
There may also be some improvement by getting all users to install in a fresh virtualenv (not polluted by any packages they've already installed, or any OS-supplied python packages), but that doesn't solve the problem completely.
Database Changes
None
External Dependencies
This is to some extent caused by a long-standing bug in pip which does not handle recursive dependencies properly. If A installs B and C, and B and C both depend on D (but with different version requirements), a version of D may be installed which meets one requirements but not both, even though a suitable version which meets both is available.
However even if that bug did not exist, pip3 could still end up installing a version of D which meets the declared requirements of B and C, but for some reason does not work in the context of Netbox. This could be because of some missing dependency (Netbox actually uses D directly but doesn't declare it); or it could be because of some other unexpected interaction.
To take one specific example see this post, where the output of "pip3 list" from an end user is very different to what my own system shows - and by extension, is likely to be different to what the Netbox developers have.
If this happens, it means that (a) developers aren't going to be aware of problems; (b) end-users are going to experience these problems first; and (c) we end up trying to support people's systems with problems we haven't seen before and whose systems are in indeterminate states.
Note: Netbox pins most of its direct dependencies to specific versions, but not Django which it pins to a range.
@chicks-net commented on GitHub (Feb 19, 2020):
Have you considered pipenv ? It seems to solve the virtualenv creation and python package pinning that you're looking for.
@jeremystretch commented on GitHub (Feb 19, 2020):
Are you asserting that there's something unique to NetBox that requires this, or that this is true for all projects which employ pip for dependency management?
@candlerb commented on GitHub (Feb 19, 2020):
The latter. This is what "pip freeze" exists for.
@jeremystretch commented on GitHub (Feb 19, 2020):
Just want to go on record to point out that this is a non-starter: We won't require users to implement an entire layer of abstraction and deploy external services simply to run the application.
I'm not necessarily opposed to adopting this as policy, but we should consider the implications. First, this would effectively require users to run NetBox in a virtual environment (if not using a dedicated server already). This isn't a bad thing IMO, but it does amount to a new installation requirement that needs to be communicated and documented. Incidentally, this initiative has already been captured as #3949.
Second, it means the maintainers must now vet a specific release version for every dependent package: There are currently almost 60, as opposed to the 25 direct dependencies we currently maintain. I don't think this is too big a deal given that we typically update pinned versions only during minor releases (e.g. from 2.6 to 2.7), but it is worth noting that we'd now be managing an entire tree of dependencies.
We'd also be asserting that all dependent packages can be updated only during a minor release. The only exception to this is when a bug or vulnerability is identified in a dependent package (which requires a peer bug report to be submitted against NetBox to track the change).
And finally, I'll point out that this largely prevents bundling NetBox as a distribution package, as pointed out in #2977. I don't think this is a substantial argument though, especially given that it's already largely frustrated by the current pinnings.
So to summarize:
requirements.txtto pin a specific version for all ~60 dependent packagesbase_requirements.txtto document all ~60 packages and why they are neededDoes that sound right?
IMO if we're going to pin everything we might as well pin Django too. The downside is that new installations won't get the most recent stable release.
@candlerb commented on GitHub (Feb 19, 2020):
Yes, I believe so, thank you.
Speaking as a user of Netbox, that would be a big plus point. I am unlikely to be monitoring for security alerts on all of Netbox's recursive package dependencies; but if Netbox comes out with a new release because a dependency had to be updated, I will notice that and will upgrade.
Regarding updating all pinned versions on minor (i.e. 2.x) release: I'd say that's a good time to do it.
I think it's right to pin it. If a new Django release doesn't do anything which fixes a problem observable by Netbox users, then there's no need to upgrade. Having a known working version is more important. But as above: if Django makes a point release because of a security issue, then having a corresponding bump in Netbox gives a useful notification of the need to upgrade. Plus, hopefully the Netbox developers have done at least a quick regression test first.
@tyler-8 commented on GitHub (Feb 19, 2020):
There are some common tools out there that can help maintain these workflows and track requirements more intelligently than what
requirements.txtprovidespyproject.toml) - that is also exportable torequirements.txtfor users.@jeremystretch commented on GitHub (Feb 25, 2020):
It occurs to me to point out that our CI tests rebuild a virtual environment per
requirements.txton every run, and never seem to encounter a problem with dependency management. Since we're looking at moving to recommend a virtualenv-based installation anyway (see #3949), this may be easily resolved by simply rebuilding the virtual environment from scratch on each upgrade.@jeremystretch commented on GitHub (Feb 26, 2020):
I've just implemented #3949, which moves the official NetBox implementation into a Python virtual environment. During an upgrade, the virtualenv is destroyed and completely rebuilt, effectively replicating the same process we use for our CI tests. With this approach in place, it's difficult to imagine a dependency issue that would persist for a user but escape our integration tests.
I'm going to close this issue as I believe the us of virtual environments negates the concerns it has raised. We can revisit if any further dependency issues arise.