update-locked-requirements: Generate prod locks from dev locks.

This guarantees that we don’t accidentally upgrade one without the
other, which could happen for example due to different third-party
version constraints between the two.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>

requirements/README.md

@@ -1,18 +1,18 @@
 The dependency graph of the requirements is as follows:
 
 ```
-dev         prod
+dev +-> prod +-> common
-+ +          +
++
-| +->common<-+
+|
 v
-mypy,docs
+mypy,docs,pip
 ```
 
 Of the files, only dev, prod, and mypy have been used in the install
 scripts directly. The rest are implicit dependencies.
 
 Steps to update a lock file, e.g. to update ipython from 5.3.0 to latest version:
-0. Remove entries for `ipython==5.4.1` in dev.txt and prod.txt.
+0. Remove entry for `ipython==5.4.1` in dev.txt.
 1. Run `./tools/update-locked-requirements`, which will generate new entries, pinned to the latest version.
 2. Increase `PROVISION_VERSION` in `version.py`.
 3. Run `./tools/provision` to install the new deps and test them.

requirements/dev.in

@@ -1,7 +1,8 @@
 # After editing this file, you MUST afterward run
 # /tools/update-locked-requirements to update requirements/dev.txt.
 # See requirements/README.md for more detail.
--r common.in
+-r pip.in
+-r prod.in
 -r docs.in
 
 # moto s3 mock

requirements/dev.txt

@@ -901,6 +901,8 @@ urllib3==1.25.8 \
     --hash=sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc \
     --hash=sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc \
     # via botocore, requests
+uwsgi==2.0.18 \
+    --hash=sha256:4972ac538800fb2d421027f49b4a1869b66048839507ccf0aa2fda792d99f583
 virtualenv-clone==0.5.3 \
     --hash=sha256:532f789a5c88adf339506e3ca03326f20ee82fd08ee5586b44dc859b5b4468c5 \
     --hash=sha256:c88ae171a11b087ea2513f260cdac9232461d8e9369bcd1dc143fc399d220557
@@ -924,6 +926,9 @@ werkzeug==0.16.1 \
     --hash=sha256:1e0dedc2acb1f46827daa2e399c1485c8fa17c0d8e70b6b875b4e7f54bf408d2 \
     --hash=sha256:b353856d37dec59d6511359f97f6a4b2468442e454bd1c98298ddce53cac1f04 \
     # via moto
+wheel==0.34.2 \
+    --hash=sha256:8788e9155fe14f54164c1b9eb0a319d98ef02c160725587ad60f14ddc57b6f96 \
+    --hash=sha256:df277cb51e61359aba502208d680f90c0493adec6f0e848af94948778aed386e
 wrapt==1.11.2 \
     --hash=sha256:565a021fd19419476b9362b05eeaa094178de64f8361e44468f9e9d7843901e1 \
     # via aws-xray-sdk
@@ -997,5 +1002,4 @@ pip==20.0.2 \
     --hash=sha256:7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f
 setuptools==45.1.0 \
     --hash=sha256:68e7fd3508687f94367f1aa090a3ed921cd045a60b73d8b0aa1f305199a0ca28 \
-    --hash=sha256:91f72d83602a6e5e4a9e4fe296e27185854038d7cbda49dcd7006c4d3b3b89d5 \
+    --hash=sha256:91f72d83602a6e5e4a9e4fe296e27185854038d7cbda49dcd7006c4d3b3b89d5
-    # via cairocffi, cssselect2, ipython, jsonschema, markdown, sphinx, tinycss2, zope.interface

requirements/docs.txt

@@ -27,9 +27,10 @@ commonmark==0.9.1 \
     --hash=sha256:452f9dc859be7f06631ddcb328b6919c67984aca654e5fefb3914d54691aed60 \
     --hash=sha256:da2f38c92590f83de410ba1a3cbceafbc74fee9def35f9251ba9a971d6d66fd9 \
     # via recommonmark
-docutils==0.16 \
+docutils==0.15.2 \
-    --hash=sha256:0c5b78adfbf7762415433f5515cd5c9e762339e23369dbe8000d84a4bf4ab3af \
+    --hash=sha256:6c4f696463b79f1fb8ba0c594b63840ebd41f059e92b31957c46b74a4599b6d0 \
-    --hash=sha256:c2de3a60e9e7d07be26b7f2b00ca0309c207e06c100f9cc2a94931fc75a478fc \
+    --hash=sha256:9e4d7ecfc600058e07ba661411a2b7de2fd0fafa17d1a7f7361cd47b1175c827 \
+    --hash=sha256:a2aeea129088da402665e92e0b25b04b073c04b2dce4ab65caaa38b7ce2e1a99 \
     # via recommonmark, sphinx
 idna==2.8 \
     --hash=sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407 \

requirements/pip2.in

@@ -0,0 +1 @@
+pip.in

requirements/thumbor-dev.in

@@ -1,2 +1,3 @@
+-r pip.in
 -r thumbor.in
 pip-tools

requirements/thumbor-dev.txt

@@ -157,3 +157,14 @@ webcolors==1.10 \
     --hash=sha256:2559b4f4694bfcd61c87ee06acad921bd2fdbf0c844bee65fc844c6910c413dd \
     --hash=sha256:7b11194c414dcf4b9bd8fb5ceaafc9da183b27430883c62f620589eb79b91b6e \
     # via thumbor
+wheel==0.34.2 \
+    --hash=sha256:8788e9155fe14f54164c1b9eb0a319d98ef02c160725587ad60f14ddc57b6f96 \
+    --hash=sha256:df277cb51e61359aba502208d680f90c0493adec6f0e848af94948778aed386e
+
+# The following packages are considered to be unsafe in a requirements file:
+pip==20.0.2 \
+    --hash=sha256:4ae14a42d8adba3205ebeb38aa68cfc0b6c346e1ae2e699a0b3bad4da19cef5c \
+    --hash=sha256:7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f
+setuptools==44.0.0 \
+    --hash=sha256:180081a244d0888b0065e18206950d603f6550721bd6f8c0a10221ed467dd78e \
+    --hash=sha256:e5baf7723e5bb8382fc146e33032b241efc63314211a3a120aaa55d62d2bb008

tools/update-locked-requirements

@@ -54,11 +54,14 @@ if [ $# -gt 0 ]; then
     done
 fi
 
-compile_requirements requirements/pip.in "$OUTPUT_BASE_DIR/pip.txt"
-compile_requirements requirements/prod.in "$OUTPUT_BASE_DIR/prod.txt"
 compile_requirements requirements/dev.in "$OUTPUT_BASE_DIR/dev.txt"
-compile_requirements requirements/mypy.in "$OUTPUT_BASE_DIR/mypy.txt"
+for name in pip prod mypy docs; do
-compile_requirements requirements/docs.in "$OUTPUT_BASE_DIR/docs.txt"
+    cp "$OUTPUT_BASE_DIR/dev.txt" "$OUTPUT_BASE_DIR/$name.txt"
-compile_requirements requirements/pip.in "$OUTPUT_BASE_DIR/pip2.txt" py2
+    compile_requirements "requirements/$name.in" "$OUTPUT_BASE_DIR/$name.txt"
-compile_requirements requirements/thumbor.in "$OUTPUT_BASE_DIR/thumbor.txt" py2
+done
+
 compile_requirements requirements/thumbor-dev.in "$OUTPUT_BASE_DIR/thumbor-dev.txt" py2
+for name in pip2 thumbor; do
+    cp "$OUTPUT_BASE_DIR/thumbor-dev.txt" "$OUTPUT_BASE_DIR/$name.txt"
+    compile_requirements "requirements/$name.in" "$OUTPUT_BASE_DIR/$name.txt" py2
+done

version.py

@@ -34,4 +34,4 @@ DESKTOP_WARNING_VERSION = "5.0.0"
 #   historical commits sharing the same major version, in which case a
 #   minor version bump suffices.
 
-PROVISION_VERSION = '75.7'
+PROVISION_VERSION = '75.8'