imbajin commented on code in PR #302:
URL:
https://github.com/apache/incubator-hugegraph-ai/pull/302#discussion_r2453911392
##########
hugegraph-llm/pyproject.toml:
##########
@@ -88,3 +89,6 @@ allow-direct-references = true
[tool.uv.sources]
hugegraph-python-client = { workspace = true }
+# We encountered a bug in PyCGraph's latest release version, so we're using a
specific commit from the main branch (without the bug) as the project
dependency.
+# TODO: Replace this command in the future when a new PyCGraph release version
(after 3.1.2) is available.
+pycgraph = { git = "https://github.com/ChunelFeng/CGraph.git";, subdirectory =
"python", rev = "248bfcfeddfa2bc23a1d585a3925c71189dba6cc"}
Review Comment:
‼️ **Critical: pycgraph依赖锁定到特定commit存在风险**
```python
pycgraph = { git = "https://github.com/ChunelFeng/CGraph.git";, subdirectory
= "python", rev = "248bfcfeddfa2bc23a1d585a3925c71189dba6cc"}
```
问题:
1. **可重现性问题**: 依赖特定commit而非版本标签,使得依赖管理不透明
2. **安全风险**: 如果上游仓库历史被重写,这个commit可能消失
3. **维护成本**: 未来升级困难,需要手动跟踪上游修复
建议:
1. 与PyCGraph团队沟通,尽快发布包含修复的正式版本(>3.1.2)
2. 添加issue追踪链接,说明使用特定commit的原因
3. 在代码注释中详细说明遇到的bug及其影响范围
4. 设置定期检查机制,确保新版本发布后及时切换
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
