Merge branch 'main' of https://github.com/GSA/notifications-admin into 803-keep-current-service-visible

Makefile

@@ -15,7 +15,7 @@ NVMSH := $(shell [ -f "$(HOME)/.nvm/nvm.sh" ] && echo "$(HOME)/.nvm/nvm.sh" || e
 
 .PHONY: bootstrap
 bootstrap: generate-version-file ## Set up everything to run the app
-	poetry install
+	poetry install --sync
 	poetry run playwright install --with-deps
 	source $(NVMSH) --no-use && nvm install && npm ci --no-audit
 	source $(NVMSH) && npm run build
@@ -92,6 +92,18 @@ js-test: ## Run javascript unit tests
 fix-imports: ## Fix imports using isort
 	poetry run isort ./app ./tests
 
+.PHONY: py-lock
+py-lock: ## Syncs dependencies and updates lock file without performing recursive internal updates
+	poetry lock --no-update
+	poetry install --sync
+
+.PHONY: update-utils
+update-utils: ## Forces Poetry to pull the latest changes from the notifications-utils repo; requires that you commit the changes to poetry.lock!
+	poetry update notifications-utils
+	@echo
+	@echo !!! PLEASE MAKE SURE TO COMMIT AND PUSH THE UPDATED poetry.lock FILE !!!
+	@echo
+
 .PHONY: freeze-requirements
 freeze-requirements: ## create static requirements.txt
 	poetry export --without-hashes --format=requirements.txt > requirements.txt
@@ -101,7 +113,7 @@ pip-audit:
 	poetry requirements > requirements.txt
 	poetry requirements --dev > requirements_for_test.txt
 	poetry run pip-audit -r requirements.txt
-	-poetry run pip-audit -r requirements_for_test.txt
+	poetry run pip-audit -r requirements_for_test.txt
 
 .PHONY: audit
 audit: npm-audit pip-audit

README.md

@@ -73,6 +73,52 @@ The [Notify API](https://github.com/GSA/notifications-api) provides the UI's bac
 
 If you are using VS Code, there are also instructions for [running inside Docker](./docs/docker-remote-containers.md)
 
+### Python dependency management
+
+We're using [`Poetry`](https://python-poetry.org/) for managing our Python
+dependencies and local virtual environments.  When it comes to managing the
+Python dependencies, there are a couple of things to bear in mind.
+
+For situations where you manually manipulate the `pyproject.toml` file, you
+should use the `make py-lock` command to sync the `poetry.lock` file.  This will
+ensure that you don't inadvertently bring in other transitive dependency updates
+that have not been fully tested with the project yet.
+
+If you're just trying to update a dependency to a newer (or the latest) version,
+you should let Poetry take care of that for you by running the following:
+
+```
+poetry update <dependency> [<dependency>...]
+```
+
+You can specify more than one dependency together.  With this command, Poetry
+will do the following for you:
+
+- Find the latest compatible version(s) of the specified dependency/dependencies
+- Install the new versions
+- Update and sync the `poetry.lock` file
+
+In either situation, once you are finished and have verified the dependency
+changes are working, please be sure to commit both the `pyproject.toml` and
+`poetry.lock` files.
+
+### Keeping the notification-utils dependency up-to-date
+
+The `notifications-utils` dependency references the other repository we have at
+https://github.com/GSA/notifications-utils - this dependency requires a bit of
+extra legwork to ensure it stays up-to-date.
+
+Whenever a PR is merged in the `notifications-utils` repository, we need to make
+sure the changes are pulled in here and committed to this repository as well.
+You can do this by going through these steps:
+
+- Make sure your local `main` branch is up-to-date
+- Create a new branch to work in
+- Run `make update-utils`
+- Commit the updated `poetry.lock` file and push the changes
+- Make a new PR with the change
+- Have the PR get reviewed and merged
+
 ## To test the application
 
 From a terminal within the running devcontainer:

pyproject.toml

@@ -6,23 +6,24 @@ authors = ["Your Name <you@example.com>"]
 readme = "README.md"
 
 [tool.poetry.dependencies]
-python = "^3.9"
+python = ">=3.9,<3.12"
 ago = "~=0.0.95"
-black = "==23.9.1"
 blinker = "~=1.6"
 exceptiongroup = "==1.1.3"
 flask = "~=2.3"
 flask-basicauth = "~=0.2"
-flask-login = "~=0.6"
-flask-wtf = "~=1.2"
-poetry = "==1.6.1"
+flask-login = "^0.6"
+flask-talisman = "*"
+flask-wtf = "^1.2"
 govuk-bank-holidays = "==0.13"
 govuk-frontend-jinja = {git = "https://github.com/alphagov/govuk-frontend-jinja.git", tag = "v0.5.8-alpha"}
 gunicorn = {version = "==21.2.0", extras = ["eventlet"]}
 humanize = "~=4.8"
 itsdangerous = "~=2.1"
 jinja2 = "~=3.1"
+newrelic = "*"
 notifications-python-client = "==8.0.1"
+notifications-utils = {git = "https://github.com/GSA/notifications-utils.git"}
 pyexcel = "==0.7.0"
 pyexcel-io = "==0.6.6"
 pyexcel-ods3 = "==0.6.1"
@@ -33,33 +34,33 @@ pyproj = "==3.6.1"
 python-dotenv = "==1.0.0"
 pytz = "==2023.3.post1"
 rtreelib = "==0.2.0"
-werkzeug = "~=2.3"
+werkzeug = "^3.0.1"
 wtforms = "~=3.0"
-newrelic = "*"
-flask-talisman = "*"
-notifications-utils = {git = "https://github.com/GSA/notifications-utils.git", develop = true, branch = "main"}
-coverage = "*"
-vulture = "==2.10"
-radon = "==6.0.1"
+
 
 [tool.poetry.group.dev.dependencies]
-isort = "~5.12.0"
-pytest = "~7.4.2"
-pytest-env = "~1.0.1"
-pytest-mock = "~3.11.1"
-pytest-playwright = "~0.4.3"
-pytest-xdist = "~3.3.1"
-beautifulsoup4 = "==4.12.2"
-freezegun = "==1.2.2"
-flake8 = "~6.1.0"
-flake8-bugbear = "~23.9.16"
-flake8-print = "~5.0.0"
-flake8-pytest-style = "~1.7.2"
-moto = "~4.2"
-requests-mock = "==1.11.0"
-jinja2-cli = {version = "==0.8.2", extras = ["yaml"]}
-pip-audit = "*"
 bandit = "*"
+beautifulsoup4 = "^4.12.2"
+black = "^23.10.1"
+coverage = "*"
+freezegun = "^1.2.2"
+flake8 = "^6.1.0"
+flake8-bugbear = "^23.9.16"
+flake8-print = "^5.0.0"
+flake8-pytest-style = "^1.7.2"
+isort = "^5.12.0"
+jinja2-cli = {version = "==0.8.2", extras = ["yaml"]}
+moto = "^4.2"
+pip-audit = "*"
+pytest = "^7.4.3"
+pytest-env = "^1.0.1"
+pytest-mock = "^3.12.0"
+pytest-playwright = "^0.4.3"
+pytest-xdist = "^3.3.1"
+radon = "^6.0.1"
+requests-mock = "^1.11.0"
+vulture = "^2.10"
+
 
 [build-system]
 requires = ["poetry-core"]