Skip to content

feat(cli): add lockfile support to pywrangler sync command#108

Open
ryanking13 wants to merge 2 commits into
mainfrom
gyeongjae/lockfile-respect
Open

feat(cli): add lockfile support to pywrangler sync command#108
ryanking13 wants to merge 2 commits into
mainfrom
gyeongjae/lockfile-respect

Conversation

@ryanking13
Copy link
Copy Markdown
Contributor

@ryanking13 ryanking13 commented May 21, 2026

pywrangler sync will now generate a pylock.toml file that locks the installed packages. Rerunning pywrangler sync will now keep the existing installed versions and will not upgrade packages silently.

Also added --upgrade flag to pywrangler sync which upgrades the packages in the lockfile.

@ryanking13 ryanking13 requested review from dom96, hoodmane and joesepi May 21, 2026 11:46
ask-bonk[bot]
ask-bonk Bot reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown

@ask-bonk ask-bonk Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm Bonk, and I've done a quick review of your PR.

This PR adds lockfile support (pylock.toml) to pywrangler sync, using uv pip compile to pin dependency versions and a new --upgrade flag to refresh them. Overall the approach is sound. A couple of issues below.

  1. _read_lockfile_requirements will crash with an opaque KeyError on malformed lockfile entries (medium severity)
  2. Private function _get_lockfile_path is imported across module boundaries (low severity)

Comment thread packages/cli/src/pywrangler/resolve.py Outdated
Comment thread packages/cli/src/pywrangler/sync.py Outdated
@ask-bonk
Copy link
Copy Markdown

ask-bonk Bot commented May 21, 2026

Review posted on PR #108. Two issues flagged:

  1. Medium severity: _read_lockfile_requirements at packages/cli/src/pywrangler/resolve.py:109 will crash with a bare KeyError if a [[packages]] entry in pylock.toml is missing name or version. Posted a suggestion to validate entries and skip malformed ones with a warning.

  2. Low severity: _get_lockfile_path is a private function (underscore-prefixed) being imported across module boundaries (sync.py imports it from resolve.py). Suggested renaming to get_lockfile_path to signal it's part of the public API.

github run

@ryanking13
feat(cli): add lockfile support to pywrangler sync command
e71384d 
`pywrangler sync` command now generates a `pylock.toml` file
that locks the installed packages. Rerunning `pywrangler sync`
now keep the existing installed versions and will not upgrade
packages silently.

Also added `--upgrade` flag to `pywrangler sync` which upgrades
the packages in the lockfile.
@ryanking13 ryanking13 force-pushed the gyeongjae/lockfile-respect branch from 2d04385 to e71384d Compare May 26, 2026 05:20
@ryanking13 ryanking13 mentioned this pull request May 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ask-bonk ask-bonk[bot] ask-bonk[bot] left review comments

@joesepi joesepi Awaiting requested review from joesepi

@dom96 dom96 Awaiting requested review from dom96

@hoodmane hoodmane Awaiting requested review from hoodmane

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ryanking13