This may be a question about the existing UPM rather than the new thing in this post (the cache), but it's not clear to me how this system handles versioned dependencies or reproducibility issues. import statements (in python) are not versioned. Does anyone know?
I also wonder how they solved the stupid but annoying problem of mapping import names to package names, e.g. "import sklearn" -> scikit-learn, "import dateutil" -> python-dateutil, "import bs4" -> beautifulsoup4, ...
UPM's philosophy is to use a lockfile to specify dependency constraints. The first time you press run and UPM guesses which packages satisfy which import statements, those versions are put into the lockfile.
Can the user read/export the lockfile in a portable format (e.g. requirements.txt)? I love the idea of magic like this, but I'm less keen if it comes at the price of lock-in. (And feel free point me to the docs!)
No magic, it's automating and hooking into existing open-source tools. For Python its poetry (https://python-poetry.org/), not requirements.txt because UPM needs to present strong guarantees on reproducibility -- otherwise things like content-addressable caching wouldn't be possible. Poetry is open-source and UPM is too: https://github.com/replit/upm
Every Replit Python project can be downloaded and you'll have the spec file and the lock file so you can install the same dependencies locally.