release-engineering / cdn-lambda

100%

master: 100%

LAST BUILD ON BRANCH bundle-deps

branch: bundle-deps

CHANGE BRANCH

x

Reset

• bundle-deps
• dependabot/pip/boto3-1.12.24
• dependabot/pip/boto3-1.12.25
• dependabot/pip/boto3-1.12.26
• dependabot/pip/boto3-1.12.27
• dependabot/pip/boto3-1.12.28
• dependabot/pip/botocore-1.15.24
• dependabot/pip/botocore-1.15.25
• dependabot/pip/botocore-1.15.26
• dependabot/pip/botocore-1.15.27
• dependabot/pip/botocore-1.15.28
• dependabot/pip/docutils-0.16
• master

Build # 42

Build Type

Pull #14

travis-ci

Committed by web-flow

Commit Message

Manage and bundle exact dependency versions

Previously, the package produced by "tox -e package" did not
bundle any dependencies.  Although this worked, let's start
bundling dependencies instead and managing their versions,
for a couple of reasons:

- It turns out this is actually the recommended practice even
  for deps such as boto3, despite the lambda runtime providing
  a copy of it; although there is much confusion on this point.
  See [1] for a discussion about this.

- If we don't bundle dependencies, then we have no way to roll
  back changes to those dependencies. This puts us at risk if
  the lambda runtime updates a dependency in a manner such that
  our code stops working.

- We'll likely want to introduce dependencies on some other
  packages owned by ourselves at some point, so let's figure out
  how to do that securely. Declaring dependencies with --hash
  and letting dependabot update them seems to achieve this, and
  dependabot supports updating those automatically while
  maintaining hashes.

For that last point, the version of boto3 included here was
deliberately chosen as a slightly older release, so that we can
try having dependabot update the dependency.

[1] https://www.serverlessops.io/blog/aws-lambda-and-python-boto3-bundling

Pull Request Pull Request #14: Allow usage of dependencies secured by hash

Run Details

39 of 39 relevant lines covered (100.0%)

1.0 hits per line