From f61bee4b6ecd8bffbd9c83fb1044217641d6aa66 Mon Sep 17 00:00:00 2001 From: Jeff Widman Date: Wed, 9 Aug 2023 20:32:34 -0700 Subject: [PATCH] Stop pinning `wheel` We've gone back and forth on this repeatedly: * https://github.com/dependabot/dependabot-core/pull/5597 * https://github.com/dependabot/dependabot-core/pull/7748#issuecomment-1670974893 As @yeikel pointed out, if we're going to keep pinning this, we really ought to have CI that checks it in some way (although that'd potentially be tricky as we want to not only test on latest python, but also oldest python). As Deivid pointed out though, it's not really providing a lot of benefit for us to pin... simpler to just let `pip` pick whatever it needs and keep going. If we observe breakage, we can start pinning again. Although probably (hopefully) that'd be very infrequent, and it'd be only a temporary thing until upstream fixes their bug and releases a new version then we can drop the pin. Or in that case I'd probably actually expect `pip-tools` to handle the work of temp-pinning as they're the ones who need it. --- python/helpers/requirements.txt | 3 --- 1 file changed, 3 deletions(-) diff --git a/python/helpers/requirements.txt b/python/helpers/requirements.txt index 93181463ec..c12f29834c 100644 --- a/python/helpers/requirements.txt +++ b/python/helpers/requirements.txt @@ -4,9 +4,6 @@ hashin==0.17.0 pipenv==2022.4.8 pipfile==0.0.2 poetry>=1.1.15,<1.6.0 -# For now we chose to pin `wheel` even though we don't import it directly. -# Background context: https://github.com/dependabot/dependabot-core/pull/5597 -wheel==0.37.1 # Some dependencies will only install if Cython is present Cython==3.0.0