feat(lockfile): skip source tree hash for workspace packages#5452
Open
cademirch wants to merge 1 commit intoprefix-dev:mainfrom
Open
feat(lockfile): skip source tree hash for workspace packages#5452cademirch wants to merge 1 commit intoprefix-dev:mainfrom
cademirch wants to merge 1 commit intoprefix-dev:mainfrom
Conversation
Don't compute or store the source tree hash for the workspace's own package (path = ".") in the lockfile. This avoids lockfile invalidation when only metadata fields like version or authors change but dependencies remain the same. See: prefix-dev#5438
Author
|
Hi @ruben-arts, I took a crack at this as discussed in #5438, would appreciate any feedback when you have time! Thanks. |
Contributor
|
Pulling in @tdejager as he's been the head of PyPI integration. I believe your implementation is not a solution to the problem at large. I believe we're planning to remove the hash completely from the lockfile but that requires some extra logic to invalidate the lockfile. In the conda packages we started using the local cache to do this validation local to the user. Which solved the problem. I think this should also be done for the PyPI implementation. @tdejager Is that correct? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Don't compute or store the source tree hash for the workspace's own pypi package (path = ".") in the lockfile. This avoids lockfile invalidation when only metadata fields like version or authors change but dependencies remain the same.
I went with a naive approach here: compare the install path against the project root to detect the workspace
package, then skip hashing for it. Happy to discuss better approaches. I think more tests should be added to cover these changes, but want to make sure this is the right direction before continuing.
Fixes #5438
How Has This Been Tested?
Via integration test added in
crates/pixi/tests/integration_rust/pypi_tests.rs. The test installs an environment from apyproject.toml, checks that the generated lockfile does not have a hash for the workspace pypi package. Then thepyproject.tomlkeysproject.versionandproject.authorsare updated, and we install the env again with--locked, which succeeds.AI Disclosure
Tools: Claude Opus 4.6
Checklist:
schema/model.py.