Dependency resolution in pip
I recently stumbled into a worrying problem with pip. I found out that doing "pip install pusher requests" installs urllib3 v1.23 as a dependency even though requests specifically restricts the version to lower than 1.23. Then if instead I do "pip install requests pusher" it installs urllib3 v1.22 as expected. As I recall, pip has long had a problem with combining version specifiers and extras when the same target has been required from multiple sources. What I wanted to ask was, is this a simple bug, or a larger unresolved design problem? Should pip also take into consideration the requirements from existing installed packages so pip won't end up installing upgrades they're incompatible with?
On 13 June 2018 at 10:23, <alex.gronholm@nextday.fi> wrote:
I recently stumbled into a worrying problem with pip. I found out that doing "pip install pusher requests" installs urllib3 v1.23 as a dependency even though requests specifically restricts the version to lower than 1.23. Then if instead I do "pip install requests pusher" it installs urllib3 v1.22 as expected. As I recall, pip has long had a problem with combining version specifiers and extras when the same target has been required from multiple sources. What I wanted to ask was, is this a simple bug, or a larger unresolved design problem? Should pip also take into consideration the requirements from existing installed packages so pip won't end up installing upgrades they're incompatible with?
It's a known issue - pip doesn't do full dependency resolution at the moment. It's being tracked in https://github.com/pypa/pip/issues/988 Paul
This is partially what we are doing in pipenv although we are not truly sat solving, we are fully resolving. For the record, I just tried this out with what will be the next version of pipenv (releasing this week) and it seems that requests doesn't pin urllib3 below 1.23 (so urllib3 1.23 is compatible with requests) /t/test pipenv graph --bare pusher==2.0.1 - ndg-httpsclient [required: Any, installed: 0.5.0] - pyasn1 [required: >=0.1.1, installed: 0.4.3] - PyOpenSSL [required: Any, installed: 18.0.0] - cryptography [required: >=2.2.1, installed: 2.2.2] - asn1crypto [required: >=0.21.0, installed: 0.24.0] - cffi [required: >=1.7, installed: 1.11.5] - pycparser [required: Any, installed: 2.18] - idna [required: >=2.1, installed: 2.7] - six [required: >=1.4.1, installed: 1.11.0] - six [required: >=1.5.2, installed: 1.11.0] - pyasn1 [required: Any, installed: 0.4.3] - pyopenssl [required: Any, installed: 18.0.0] - cryptography [required: >=2.2.1, installed: 2.2.2] - asn1crypto [required: >=0.21.0, installed: 0.24.0] - cffi [required: >=1.7, installed: 1.11.5] - pycparser [required: Any, installed: 2.18] - idna [required: >=2.1, installed: 2.7] - six [required: >=1.4.1, installed: 1.11.0] - six [required: >=1.5.2, installed: 1.11.0] - requests [required: >=2.3.0, installed: 2.19.0] - certifi [required: >=2017.4.17, installed: 2018.4.16] - chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4] - idna [required: >=2.5,<2.8, installed: 2.7] - urllib3 [required: >=1.21.1,<1.24, installed: 1.23] ***** - six [required: Any, installed: 1.11.0] - urllib3 [required: Any, installed: 1.23] Asterisks mine And just to confirm -- from the current setup.py for requests (found at https://github.com/requests/requests/blob/991e8b76b7a9d21f698b24fa0058d3d596...):
'urllib3>=1.21.1,<1.24'
Dan Ryan gh: @techalchemy // e: dan@danryan.co
-----Original Message----- From: Paul Moore [mailto:p.f.moore@gmail.com] Sent: Wednesday, June 13, 2018 6:05 AM To: Alex Grönholm Cc: DistUtils mailing list Subject: [Distutils] Re: Dependency resolution in pip
On 13 June 2018 at 10:23, <alex.gronholm@nextday.fi> wrote:
I recently stumbled into a worrying problem with pip. I found out that doing "pip install pusher requests" installs urllib3 v1.23 as a dependency even though requests specifically restricts the version to lower than 1.23. Then if instead I do "pip install requests pusher" it installs urllib3 v1.22 as expected. As I recall, pip has long had a problem with combining version specifiers and extras when the same target has been required from multiple sources. What I wanted to ask was, is this a simple bug, or a larger unresolved design problem? Should pip also take into consideration the requirements from existing installed packages so pip won't end up installing upgrades they're incompatible with?
It's a known issue - pip doesn't do full dependency resolution at the moment. It's being tracked in https://github.com/pypa/pip/issues/988
Paul
participants (3)
-
alex.gronholm@nextday.fi -
Dan Ryan -
Paul Moore