How do I update the requirements/constraints.txt file?

[leplatrem]

If I want to upgrade a package, I do:

hashin -r requirements/default.txt  "kinto-attachment" 

Great.

But I now, how do I upgrade the dependencies? Even if the current ones are OK, I want to run the latest set compatible with my top ones.

The README says If it fails because pip believes your new package has other dependencies not already mentioned in requirements/constraints.txt add them like this:

[peterbe]

hashin doesn't have a way to do that yet. So you have to manually pick which packages you want to update. This isn't any different between requirements/default.txt and requirements/constraints.txt. To found out which packages are outdated, use:

$ pip install piprot
$ piprot -o requirements/constraints.txt
kinto-http (9.1.2) is 180 days out of date. Latest is 10.0.0
boto3 (1.9.16) is 21 days out of date. Latest is 1.9.31
botocore (1.12.16) is 21 days out of date. Latest is 1.12.31
urllib3 (1.23) is 133 days out of date. Latest is 1.24
transaction (2.2.1) is 209 days out of date. Latest is 2.4.0
colorama (0.3.9) is 531 days out of date. Latest is 0.4.0
cornice (3.4.0) is 194 days out of date. Latest is 3.4.2
pyramid_tm (2.2) is 477 days out of date. Latest is 2.2.1
requests (2.19.1) is 126 days out of date. Latest is 2.20.0
python-dateutil (2.7.3) is 168 days out of date. Latest is 2.7.4
certifi (2018.8.24) is 52 days out of date. Latest is 2018.10.15
WebOb (1.8.2) is 131 days out of date. Latest is 1.8.3
zope.interface (4.5.0) is 14 days out of date. Latest is 4.6.0
hupper (1.3) is 136 days out of date. Latest is 1.3.1
Your requirements are 2393 days out of date

Then, eying the ones you think are safe to upgrade, do things like:

$ hashin -r requirements/constraints.txt kinto-http boto3 botocore ...

[leplatrem]

Excellent thanks!

[peterbe]

By the way, in an unreleased version of hashin you can now use...

$ hashin -r requirements/constraints.txt

and it will basically extract all the package names from that file an run them all.

There are a couple of caveats. That change can be huge so you might want to wait till there's a way to do it by cherry picking. E.g.

$ hashin -r requirements/constraints.txt --interactive

See peterbe/hashin#90

[peterbe]

Check this out!

▶ python hashin.py -r ~/kinto-dist/requirements/constraints.txt --interactive --update-all --dry-run
PACKAGE                        YOUR VERSION    NEW VERSION
kinto-http                     9.1.2           10.1.0          ?
MarkupSafe                     1.0             1.1.0           ✓
pyldap                         3.0.0           3.0.0.post1     ✓
requests                       2.20.0          2.20.1          ✓
--- Old
+++ New
@@ -32,9 +32,9 @@
     --hash=sha256:e175a006725c7faadbe69e791877d09936c0ef2cf49d01b60a6c1efcb0e8be6f \
     --hash=sha256:edd9c13a97f6550f9da2236126bb51c092b3b1ce6187f2bd966533ad794bbb5e \
     --hash=sha256:fa39ea60d527fbdd94215b5e5552f1c6a912624521093f1384a491a8ad89ad8b
-kinto-http==9.1.2 \
-    --hash=sha256:dce1d39bad5b7323b43a2e8c8116b2dd02706e4dfa9d1554d4e573cdb9e08f01 \
-    --hash=sha256:e223e965f96e92cf916f473b4112fc4356698a553885f6dd49e99da8df00c404
+kinto-http==10.1.0 \
+    --hash=sha256:4b1ace6d46a180810c5ce0744fa89a4273c8314824abc70f868114a047780313 \
+    --hash=sha256:8a9358eeca2f020d5dbdb884ed0c4c7d9436afad9a801e6a609b2ed83d26f638
 Jinja2==2.10 \
     --hash=sha256:74c935a1b8bb9a3947c50a54766a969d4846290e1e788ea44c1392163723c3bd \
     --hash=sha256:f84be1bb0040caca4cea721fcbbbbd61f9be9464ca236387158b0feea01914a4
@@ -50,10 +50,37 @@
 Unidecode==1.0.22 \
...

That's cool. But I discovered a bug. The interactive prompt asked "Upgrade? [y/n/q/a/?]" and when you press "a" it basially says "Yes" to all of them. But the little "?" question mark isn't converted to a checkbox.

[leplatrem]

Dependabot does the job now :)