PR-6090: Use ~= instead of == in Python requirements files

[gjclark]

No description provided.

[reweeden]

You should read the docs on how ~= works that were linked in the ticket. It's not as simple as just swapping the version specifier out. https://peps.python.org/pep-0440/#version-specifiers.

We might want to swap the >= out for ~= as well.

[gjclark]

Oh right because we're saying anything in that major version.

[gjclark]

I thought about >= as well. Any objections @mattp0 @mckadesorensen ?

[gjclark]

So would we want to go from x.y.z to ~=x.y or ~=x.0? Because both should be valid?

[gjclark]

Says

This operator MUST NOT be used with a single segment version number such as ~=1

So I think ~=1.0 would be valid.

[reweeden]

Yea, in a perfect world you'd put the minimum compatible version in there for the API that you need. So if something was added in 1.2 that you're using then you should put 1.2, but if you're not using whatever was added in 1.2 then you can put an earlier version such as 1.0. In practice the lower bound doesn't matter quite as much as the upper bound since typically the latest compatible version gets pulled anyway.

[gjclark]

In that case I feel like I should just try x.0 and if anything breaks work up from there.

[gjclark]

In that case I feel like I should just try x.0 and if anything breaks work up from there.

Not sure I love that idea. If there were dependencies at x.y.z then I changed them to ~=x.y and used ~=x.0 in other cases where possible. My editor was showing vulnerability errors when attempting to use pip~=19.2.

[gjclark]

Scratch all that. I set things to the greatest major (major.0) version that passes the unit test check.

[reweeden]

Latest version is 2.9.0. Maybe our code actually relies on some 2.x API and that's why you were seeing issues when pinning with ~=. Should check how it's used in the code and compare to the pyjwt release notes. Links can be found here:

https://pypi.org/project/PyJWT/

[gjclark]

Tested with pyjwt version 2.9.0 and it worked so I set it to ~=2.0

[reweeden]

Pyyaml is on 6.0 now. They don't exactly follow semver so >= might make more sense. You could try and research into it more to figure out how their version scheme actually works: https://pypi.org/project/PyYAML/#history

[gjclark]

So it looks like they use something maybe called "pre-release" versioning. According to PEP 440 we can still use ~=.

If a pre-release, post-release or developmental release is named in a compatible release clause as V.N.suffix, then the suffix is ignored when determining the required prefix match

[gjclark]

And I guess it's not technically SemVer

[reweeden]

They do that and they don't seem to do .0 releases. They have 6.0 and 6.0.1. There is no 6.0.0 which is actually my main concern with ~= compatibility.

[gjclark]

Not sure how to test that so if you think >= is just a safer option then I'll set it back to >=.

[reweeden]

I would have to do more research to give you a conclusive answer, but I'm not working the ticket so I was hoping you'd be able to take a look at that.

[mattp0]

Great work!

[mckadesorensen]

work!

[reweeden]

Great wok!