In the process of maintaining PyPI packages and projects, I often encounter two main pain points:
- Complexity of Uploading and Publishing: In the past, uploading a PyPI
package typically required configuring a PyPI Token, which poses a security
risk. It also required local or CI packaging and uploading. For projects
involving
.whlfiles, additional environment configurations were necessary, which added to the workload. - Slow Dependency Locking: Larger Python projects often have many sub-dependencies, and not locking versions can lead to compatibility issues due to upstream changes. Traditional tools like PDM and Poetry are somewhat slow when locking dependencies, and the process can be frustrating. Back in 2021, I used Poetry to lock a project’s dependencies, and after 10 minutes, it still failed; since then, I haven’t used it.
Fortunately, solutions for these issues have emerged in recent years.