Back to Posts

Pin Your Dang Dependencies

Flask made an oopsie.

I love the framework, it works well and is simple enough to integrate in a Python project to spin up a quick API. But they don't pin their dependencies (or didn't) which caused massive issues across thousands of code basis overnight depending on how you used the project. You see, when you introduce a dependency into your project, the smart thing to do is pin a specific version so that regardless of the author of that dependency updating it, you have complete control over when you upgrade so that you can prepare your application for any breaking changes.

At work, this is exactly what we do. We pin every dependency we introduce into our projects, often times down to the patch level. Flask on the other had does not pin its own dependencies. It only has 4: Werkzeug, Jinja2, itsdangerous, and click. Some of these haven't been updated in over 8 years! The trouble comes in when these packages get updated - without being pinned, our projects will also pull in the latest versions (without us knowing or expecting breaking changes. If you want to follow the drama, here are the couple issues we tracked during the crisis:

TLDR: We needed and expected the behavior of Flasks dependencies to stay the same. We pinned Flask to 1.1.2 but because Flask didn't pin their dependencies, the next time we built our projects; even though they were pulling the old 1.1.2 build, Flask itself was happily pulling whatever the latest set of dependencies it had listed instead of a set specific version. This broke many of our integrations as breaking changes were introduced without our knowledge due to not pinning an upper limit to their dependencies. We have upwards of 300 repos, you can imagine how fun it was to go through and determine which ones we needed to manually pin dependencies of dependencies - the tree gets very large, very fast. Now imagine how many people use Flask, tens of thousands or more! One new version later (Flask 2.0) and many projects broke, all because there was no <= sign...

Pin your dang dependencies. It will save you SO much headache and the thousands of others that use your open source software headaches. I went through all my projects and made sure I pinned them at least to the minor version. Say I pinned it to v1.*, that means I'll get anything up until v2 which if everyone is following semantic versioning means I won't introduce breaking changes but can still get security updates and new features. You could get more granular and pin the to the patch version or pin an exact version depending on your needs.

I pinned my dang dependencies - will you?


Justin Hammond
I love all things tech. I've been programming since the age of 12, repairing iPhones since 16, and founding tech companies since 20. I'm an open source fanatic, Apple fanboy, and love to explore new tech. I spend my time coding open source projects, tinkering with electronics and new tech products, and consulting teams on how to get things done.


Comments

Please login to leave a comment.

No comments yet.