build: pin fresh-install deps to the release lockfile#117
Open
arelchan wants to merge 1 commit into
Open
Conversation
the wheel only carries loose ranges (e.g. litellm>=1.82.1,<2.0.0), and uv.lock is not consulted by wheel / uv tool install. so a fresh curl|sh install resolves whatever upstream published latest, drifting off the versions ci tested -- this is how the missing-orjson break reached users after litellm silently moved 1.85 -> 1.92. release now exports the locked set from uv.lock (uv export) and ships it as a requirements.txt release asset. install.sh resolves that asset next to the wheel and installs with --constraint, pinning transitive deps to the tested versions. older releases without the asset install unpinned (backward compatible); RAVEN_CONSTRAINT_URL overrides. verified: a fresh wheel install drifts litellm to 1.92.0 unpinned, but resolves to the locked 1.85.0 with the exported constraint. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change description
Make a fresh
curl | sh/uv tool installinstall resolve the exact dependencyset that CI locked and tested, instead of whatever upstream published latest.
Why: the wheel only carries loose ranges (e.g.
litellm>=1.82.1,<2.0.0), andneither the wheel nor
uv tool installconsultsuv.lock. So a fresh installresolves the newest in-range versions at install time. That is exactly how the
missing-
orjsonbreakage (issue #113) reached users: litellm silently moved1.85 -> 1.92, and 1.92's request path needsorjson, which the older locked1.85 did not.
What:
release.ymlexports the locked set fromuv.lock(uv export --frozen --no-emit-project --no-dev --all-extras --no-hashes) and ships it as arequirements.txtrelease asset alongside the wheel.install.sh(remote mode) resolves that asset next to the wheel and installswith
--constraint, pinning transitive deps to the tested versions.behavior).
RAVEN_CONSTRAINT_URLoverrides for a custom wheel.Verified locally with a freshly built wheel:
--constraint requirements.txt(this PR)Note: this is the distribution-side guard. It complements #116 (declare orjson)
and does not pin litellm's range in
pyproject.toml(that stays flexible foruv sync/ dev).Type of change
Checklists
Development
Security
Code review