←back to thread

Switching Pip to Uv in a Dockerized Flask / Django App

(nickjanetakis.com)
264 points tosh | 10 comments | 24 Jun 25 09:46 UTC | HN request time: 0.851s | source | bottom
Show context
gchamonlive ◴[24 Jun 25 10:48 UTC] No.44364747[source]

  # Ensure we always have an up to date lock file.
  if ! test -f uv.lock || ! uv lock --check 2>/dev/null; then
    uv lock
  fi
Doesn't this defeat the purpose of having a lock file? If it doesn't exist or if it's invalid something catastrophic happened to the lock file and it should be handled by someone familiar with the project. Otherwise, why have a lock file at all? The CI will silently replace the lock file and cause potential confusion.
replies(5): >>44364785 #>>44364880 #>>44365348 #>>44368840 #>>44370311 #
1. 9dev ◴[24 Jun 25 11:12 UTC] No.44364880[source]
What are the possible remediation steps, however? If there is no lock file at all, this is likely the first run, or it will be overwritten from a git upstream later on anyway; if it's broken, chances are high someone messed up a package installation and creating a fresh lock file seems like the only sensible thing to do.

I also feel like this handles rare edge cases, but it seems like a pretty straightforward way to do so.

replies(4): >>44364906 #>>44364907 #>>44364927 #>>44366724 #
2. globular-toast ◴[24 Jun 25 11:16 UTC] No.44364906[source]
The fix is to generate the lockfile and commit it to the repository. Every build should be based on the untouched lockfile from the repo. It's the entire point of it.
3. stavros ◴[24 Jun 25 11:16 UTC] No.44364907[source]
If there's no lock file at all, you haven't locked your dependencies, and you should just install whatever is current (don't create a lockfile). If it's broken, you have problems, and you need to abort the deploy.

There is never a reason for an automated system to create a lockfile.

replies(1): >>44365362 #
4. JimDabell ◴[24 Jun 25 11:20 UTC] No.44364927[source]
If the lock file is missing the only sensible thing to do is require human intervention. Either it’s the unusual case of somebody initialising a project but never syncing it, or something has gone seriously wrong – with potential security implications. The upside to automating this is negligible and the downside is large.
replies(1): >>44365056 #
5. guappa ◴[24 Jun 25 11:39 UTC] No.44365056[source]
? It has always been the case that if you don't specify a version, the latest is implied.
replies(1): >>44365078 #
6. slau ◴[24 Jun 25 11:42 UTC] No.44365078{3}[source]
Whether it’s the latest or not is irrelevant. What’s important is the actual package hash. This is the only way to have fully reproducible builds that are immune to poison-the-well attacks.
replies(1): >>44367295 #
7. ealexhudson ◴[24 Jun 25 12:20 UTC] No.44365362[source]
The reason is simple: it allows you to do the install using "sync" in all cases, whether the lockfile exists or not.

Where the lockfile doesn't exist, it creates it from whatever current is, and the lockfile then gets thrown away later. So it's equivalent to what you're saying, it just avoids having two completely separate install paths. I think it's the correct approach.

replies(1): >>44365495 #
8. stavros ◴[24 Jun 25 12:33 UTC] No.44365495{3}[source]
I don't understand, you can already run `uv sync` if the lockfile doesn't exist. It just creates a new one. Why do it explicitly, like here?
9. ufmace ◴[24 Jun 25 14:34 UTC] No.44366724[source]
IMO, this is the process for building an application image for deployment to production. If the lock file is not present, then the developer has done something wrong and the deployment should fail catastrophically because only manual intervention by the developer can fix it correctly.
10. guappa ◴[24 Jun 25 15:29 UTC] No.44367295{4}[source]
That would be true if anyone actually ever reviewed the dependencies. Which is not the case. So the version doesn't matter when any version is as likely to contain malware.