Python Dependencies
Unlike our frontend JavaScript story, where we're generally very happy pulling in dependencies, we're much more conservative on the backend. Any dependency we pull in, might require us to eventually (temporarily) fork and vendor it if the upstream project no longer supports our version of Python.
Additionally, all these dependencies run on the server, thus, making them riskier as they have direct access to customer data if they turn out to be malicious.
So here are the rules:
- Any new dependency needs to be thoroughly reviewed and approved.
- Dependencies must be hard pinned in the requirements file of sentry.
Note: If you need to add a dependency with a URL you will have to place it with a range in Sentry and place the URL in getsentry's requirements. This is because we release sentry as a package in PyPI and it does not accept URLs.
Unclear?
If you have questions about dependencies feel free to reach out to owners-python-build with questions.