Python Dependencies

Unlike our frontend JavaScript story, where we're generally very happy pulling in dependencies, we're much more conservative on the backend. Any dependency we pull in might require us to eventually (temporarily) fork and vendor it if the upstream project no longer supports our version of Python.

Additionally, all these dependencies run on the server, making them riskier as they have direct access to customer data if they turn out to be malicious.

So here are the rules:

1. Any new dependency needs to be thoroughly reviewed and approved by owners-python-build.
2. Dependency URLs need to go into getsentry's requirements. They aren't allowed in sentry because PyPI does not accept URLs.

Updating Dependencies

We generate frozen requirements files from requirements-base.txt and requirements-dev.txt, so if you're updating dependencies, change those source files and run make freeze-requirements, which will refreeze.

Note that many of the pins in the source files are lower bounds to encourage updating to latest versions, though this isn't a strict requirement. For example if you're upgrading something like Django, you will want to have a tighter pin.

Unclear?

If you have questions about dependencies, ask owners-python-build or in #discuss-dev-infra.