Requirements for package management:
- I want to have 3 sets of packages: development, test and production.
- The production set must be a subset of the test set, which must be a subset of the development set.
- At least initially development and test can be the exact same set.
- Production set must be as small as possible (target is lambda functions).
- Production set must not have any dependencies that are only needed for development or tests, so it reduces the attack surface.
- While the production set must not have development/test dependencies, these dependencies might have an impact (if a test package is only compatible with a specific version of a package that's the only version that is testable, so that should be the one in production).
I'm looking for tools that either do this or could be part of a process that does this.