Skip to content

build: pin fresh-install deps to the release lockfile#117

Open
arelchan wants to merge 1 commit into
mainfrom
build/pin_install_deps_from_lock
Open

build: pin fresh-install deps to the release lockfile#117
arelchan wants to merge 1 commit into
mainfrom
build/pin_install_deps_from_lock

Conversation

@arelchan

Copy link
Copy Markdown
Contributor

Change description

Make a fresh curl | sh / uv tool install install resolve the exact dependency
set that CI locked and tested, instead of whatever upstream published latest.

Why: the wheel only carries loose ranges (e.g. litellm>=1.82.1,<2.0.0), and
neither the wheel nor uv tool install consults uv.lock. So a fresh install
resolves the newest in-range versions at install time. That is exactly how the
missing-orjson breakage (issue #113) reached users: litellm silently moved
1.85 -> 1.92, and 1.92's request path needs orjson, which the older locked
1.85 did not.

What:

  • release.yml exports the locked set from uv.lock (uv export --frozen --no-emit-project --no-dev --all-extras --no-hashes) and ships it as a
    requirements.txt release asset alongside the wheel.
  • install.sh (remote mode) resolves that asset next to the wheel and installs
    with --constraint, pinning transitive deps to the tested versions.
  • Backward compatible: releases without the asset install unpinned (current
    behavior). RAVEN_CONSTRAINT_URL overrides for a custom wheel.

Verified locally with a freshly built wheel:

install resolved litellm
unpinned (current) 1.92.0 (drifts to latest)
--constraint requirements.txt (this PR) 1.85.0 (matches uv.lock)

Note: this is the distribution-side guard. It complements #116 (declare orjson)
and does not pin litellm's range in pyproject.toml (that stays flexible for
uv sync / dev).

Type of change

  • Bug fix
  • New feature
  • Document
  • Others (build / release + install reproducibility)

Checklists

Development

  • Lint rules pass locally
  • Application changes have been tested thoroughly
  • Automated tests covering modified code pass

Security

  • Security impact of change has been considered
  • Code follows security best practices and guidelines

Code review

  • Pull request has a descriptive title and context useful to a reviewer

the wheel only carries loose ranges (e.g. litellm>=1.82.1,<2.0.0), and
uv.lock is not consulted by wheel / uv tool install. so a fresh curl|sh
install resolves whatever upstream published latest, drifting off the
versions ci tested -- this is how the missing-orjson break reached users
after litellm silently moved 1.85 -> 1.92.

release now exports the locked set from uv.lock (uv export) and ships it
as a requirements.txt release asset. install.sh resolves that asset next
to the wheel and installs with --constraint, pinning transitive deps to
the tested versions. older releases without the asset install unpinned
(backward compatible); RAVEN_CONSTRAINT_URL overrides.

verified: a fresh wheel install drifts litellm to 1.92.0 unpinned, but
resolves to the locked 1.85.0 with the exported constraint.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant