dependency version badges for applications, from package.json #2259
Comments
|
Hi! Thanks for the suggestion. Is the idea that you would identify your repo, and a single dependency, and then it would show something like jest | up to date if that dependency was current, and jest | outdated when it's not? |
paulmelnikow
added
the
service-badge
|
Hey @paulmelnikow, I was thinking more along the lines of... Up to date version is blue or green... Outdated version would be in red.. |
|
Any movement on this? Did anyone ever find a way to do this? I would also like to be able to display the exact version of a specific dependency that's used by the project. |
|
Yea, we chatted on Discord about using the dynamic badge. @guylepage3 could you point us to what you ended up with? |
|
Here's an example using dynamic json badge. The query is Line 25 in 0aee712 |
|
Yeah. I was only able to execute what @chris48s is suggesting above. I would really love to remove the tilde |
|
Works perfectly, thanks @chris48s, @guylepage3. I'm not sure replacing the Does anyone know if there's a way to get a similar badge for specific Python dependencies from |
|
For my purposes I was using the badge as a quick visual to let the viewer know which version of the dependency was currently in use. So for me it made sense. Much like how shields.io has set up my npm badge. It's also a standard.. https://shields.io/#/examples/version |
|
I can't think of a way to parse Also, as I think about this more, I'd be curious to see how you're using these requirements badges to communicate with developers. Could you guys link to repos? |
|
@paulmelnikow for me, this is just something I'm thinking of doing, so don't have examples. But these are how I'd like to use it:
In general, our repositories tend to have one or two particular dependencies (usually frameworks) that we would consider fairly central, where the exact version of those dependencies is particularly interesting. |
|
Ah, thanks @nottrobin, that's really helpful! I think I understand some possible use cases:
We do have a bunch of platform support badges. However the ones for Node and Python are designed for libraries. The ones for Python and Django version look at PyPI trove classifiers, and the node ones look at Have you given consideration to adopting pipenv? We have a GitHub manifest version badge, which reads the version number from package.json or manifest.json. I could see adding support to show the version of a specific dependency. We could do the same for a Pipfile. It could explicitly support the big ones, like Flask and React, sort of like we do now for Django in libraries. It could let developers specify a specific library, too. Finally, we could also add a dynamic TOML badge for people who want to do really specific things with their Pipfile. Do you think that would work for you? |
|
We have looked at pipenv. The problem with it for us is that it doesn't have a way to generate lockfiles from system level dependencies. We encapsulate all our dependencies using containers, so we have no need for the pipenv user environments. It's a shame that pipenv bundles in the new dependency format with its environment management, so you can't have one without the other, and that it's incompatible with other environment management options - like storing the dependencies at the system level. |
|
System level dependencies… is that components like gunicorn and statsd? I take it they're getting installed here? |
|
That Dockerfile is actually only used for production. What I mean is that we do local development effectively like this (illustrative only): docker run \
--volume `pwd`:/srv \
--workdir /srv \
--publish 8000:8000 \
python:3 \
bash -c "pip install -r requirements.txt && ./manage.py runserver"(In practice, we have a bash script at We don't actually use the Using Python virtualenvs can both often have unexpected effects on the wider system (there's nothing to stop Python packages writing to or changing permissions in your home directory - and many do) and break because of quirks in your wider system (like not having specific C libraries installed or set up correctly). Using containers offers significantly more reliable encapsulation. This allows us to have confidence that the project will run the same for each of our devs, on both Linux and macOs, with very little knowledge about the project or help from other devs. The single dependency our devs need installed is Docker. We've been doing it this way for about 4 years and it works very well. The simplest way to do that is to run everything as root inside the container - installing everything at the system level. We could, of course, configure our containers to have a whole encapsulated user environment and still use Python virtualenvs inside the container, but it's a whole load of extra weight and complexity to our containers that we don't need. Pipenv looks like a really promising project, and I'd love to use it (especially its lockfile functionality), but it unfortunately doesn't play at all well with actually working with dependencies that are installed at the system level. I've tried to delve into this problem with the Pipenv devs, but unfortunately I don't think they have any plans or appetite to fundamentally rearchitect Pipenv to support our workflow. |
|
Ahhh I gotcha. That pipenv thread sounds more philosophical than technical… and frustrating. Heh. Anyway, I get it, you need to use I'm not really up for implementing a requirements.txt parser in Node. (The only one I found was deprecated and labeled "trash" by its author.) I'm thinking this case could be handled using a custom endpoint. I'll resume working on reviving #1525 – that'll allow creating a badge from an arbitrary JSON endpoint which returns something like That opens up options for the implementation. Runkit endpoints is a good one for Node. Basically you write a function like exports.endpoint = function(request, response) {
const badge = { schemaVersion: 1, label: ..., message: ..., color: ... }
response.end(JSON.stringify(badge))
}and save it in your browser and then, voila, you have a JSON endpoint. I imagine your limited case could be handled well enough in Node with a regex. Alternatively, it might be easy enough to parse |
|
Interesting option. I haven't looked into it, but I'm sure parsing requirements.txt in Python must be pretty trivial. But I suspect the simplest would be, as you say, to write a small JSON endpoint that ran a simply regex against our latest requirements.txt. Do you have an example of such an endpoint that parses a file from a GitHub repo that we could base it off? And do you know if #1525 is likely to be merged soon? |
|
I put this together: https://runkit.com/melnikow/version-from-requirements-txt It seems to work well enough in this basic case:
Cool stuff! Yea, I'm working now on a replacement for #1525. |
Writing a javascript parser for
I realise we've gone way way way off the original topic of this thread at this point, but if https://github.com/sdispater/poetry That said, for the love of god don't change your packaging tool if the only problem you're trying to solve is adding a badge to your |
|
Thanks @chris48s, Poetry is very interesting. I'll try to look into it a bit further.
Lol no. We've previously been looking into alternatives to We'd also like to stay up-to-date with the latest standards, so it's a shame that https://github.com/sdispater/poetry branches the possible futures for Python. But, as you can see, Pipenv isn't without its problems, so it's probably a good thing. |
This reimplements the idea @bkdotcom came up with in #1519, and took a stab at in #1525. It’s a really powerful way to add all sorts of custom badges, particularly considering [tools like RunKit endpoints and Jupyter Kernel Gateway](#2259 (comment)), not to mention all the other ways cloud functions can be deployed these days. Ref #1752 #2259
paulmelnikow
changed the title
…ejson githubmanifest npm] Close #2259 which is mostly about a `package.json` dependency badge.
|
Awesome! Looking forward to this! 😄 |
This reimplements the idea @bkdotcom came up with in #1519, and took a stab at in #1525. It’s a really powerful way to add all sorts of custom badges, particularly considering [tools like RunKit endpoints and Jupyter Kernel Gateway](#2259 (comment)), not to mention all the other ways cloud functions can be deployed these days.
|
Hey @nottrobin, the Endpoint badge is live! Want to give it a shot? We can continue the discussion in #2838. |
|
@paulmelnikow works a charm! https://github.com/canonical-websites/www.ubuntu.com/blob/master/README.md Thanks so much! |
|
Nice!! Can you share a link to your RunKit notebook? |
|
Also… could you help spread the word about this? |
|
@paulmelnikow this is it: https://runkit.com/nottrobin/django-from-requirements-txt. It's basically a copy of your proof-of-concept, with just one or two tweaks. |
I recently published https://github.com/metabolize/rq-dashboard-on-heroku and want to add badges to show the locked version of Python and rq-dashboard, the main dependency it’s wrapping. This is along the lines of #2259, which was for package.json-based applications, and also included some discussion of a Python application that used `requirements.txt`. It’s useful for show the pinned version of any dependency in a Python application that uses a lockfile. In the future, as an alternative to reading Pipfile.lock, I could see expanding this to read Pipefile. However for my purposes I prefer to show the locked dependency, since that’s the version that a user of my package would actually get if they ran it on Heroku.
I recently published https://github.com/metabolize/rq-dashboard-on-heroku and want to add badges to show the locked version of Python and rq-dashboard, the main dependency it’s wrapping. This is along the lines of #2259, which was for package.json-based applications, and also included some discussion of a Python application that used `requirements.txt`. It’s useful for showing the pinned version of any dependency in a Python application that uses a lockfile. In the future, as an alternative to reading Pipfile.lock, I could see expanding this to read Pipfile. However for my purposes I prefer to show the locked dependency, since that’s the version that a user of my package would actually get if they ran it on Heroku.
|
Just thought I'd ping this thread to let anyone watching know that there is now a dependency badge for Pipenv applications. It reads Package.lock from a GitHub repo:
|
|
Really great service for using the In my case this great service didn't work, since the If someone stumbles upon this issue like me, here's my solution how to get it working though: Just use the You simply leverage the power of JSONPATH and use And I also had packages not defined inside my |
|
Hi @jonashackt, All good suggestions, including the workaround you suggested! Per the comment above I recently added a badge for Pipenv which uses the lockfile, and it makes sense to add some corresponding support for package-lock.json. I think it’s a little tricky in a package-lock because there could be multiple versions of a particular dependency installed. I’m not sure if it makes sense to consider only the top-level dependencies, or to walk the tree and find all the installed versions. It would be good to add a package.json dependency badge which did not depend on GitHub (similar to the other package.json badges we have). I opened a PR #WHICH to add monorepo support to the existing GitHub badge. So there are two open items. Feel free to open new issues for these – or to tackle them yourselves if you'd like!
|
For anyone stumbling upon this issue, the quoted badge is not currently working, I think because https://github.com/badges/shields/blob/master/package.json#L28 This url is working: Now that the package has been renamed to You can however use the specific https://img.shields.io/github/package-json/dependency-version/badges/shields/@shields_io/camp |
Description
I would love to be able to add
dependencyversion badges from mypackage.jsonand have those badges change to let developers know that a dependency is outdated. I am aware of david-dm.org for example...But it would be amazing to have a badge for each of my dependencies..
The text was updated successfully, but these errors were encountered: