[kennywinker]

> Blame the tutorial makers and the dependency maintainers

I'd blame the python community as a whole, for not driving everybody (flask team, tutorial makers, dependency maintainers, etc) towards pinned versions.

This is a well-established problem in any environment where you write code that has dependencies. Strict use of semver, and tools that respect those conventions, would solve MOST of this.

[sergioisidoro]

Well, they are trying... For tooling they tried to get this done well with pipenv, but (imho) failed for how slow and clunky it is. I really tried to like pipenv, but now I just go for poetry.

But one thing that needs to be acknowledged is how difficult it is to coordinate a space with so many stakeholders (eg. Conda and Anaconda for Windows), and how python got so engrained in the sys admin (installing tools with pip.) that undoing that is a monstrous task [1]

[1] The other day my ansible playbooks stopped working because packages that you used to be able to install globally with pip, should now be installed through the package managers (eg. jsondiff should now be installed as apt-get install pyton3-jsondiff). Exactly to push people to use virtual environments where you can better manage depedencies.

[paulddraper]

Nothing unique to Python.

You can lock Python versions.

But people by default, people type pip/npm/apt/yum install without the version.

Nothing unique to Python.

[kennywinker]

Except the default behavior of yarn add / npm install is to pin a semver. I.e. if the current version is 1.2.3, the package.json will specify “^1.2.3” which will auto-update to any new release that’s versioned below 2.0.0. And the node community is at least half-decent about following semver and doesn’t usually push breaking changes on a point-release.