Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential dependency conflicts between inspire-schemas and urllib3 #395

Open
NeolithEra opened this issue May 16, 2020 · 2 comments
Open

Potential dependency conflicts between inspire-schemas and urllib3 #395

NeolithEra opened this issue May 16, 2020 · 2 comments

Comments

@NeolithEra
Copy link

NeolithEra commented May 16, 2020
edited
Loading

Hi, as shown in the following full dependency graph of inspire-schemas, inspire-schemas requires urllib3 >=1.21.1,<1.26, autosemver requires dulwich * (dulwich 0.19.15 will be installed, i.e., the newest version satisfying the version constraint), and dependency dulwich 0.19.15 transitively introduces urllib3 >=1.24.1.

Obviously, there are multiple version constraints set for urllib3 in this project. However, according to pip's “first found wins” installation strategy, urllib3 1.25.9 (i.e., the newest version satisfying constraint >=1.21.1,<1.26) is the actually installed version.

Although the first found package version urllib3 1.25.9 just satisfies the later dependency constraint (urllib3 >=1.21.1,<1.26), such installed version is very close to the upper bound of the version constraint of urllib3 specified by dulwich 0.19.15.

Once dulwich upgrades,its newest version will be installed, as inspire-schemas does not specify the upper bound of version constraint for dulwich. Therefore, it will easily cause a dependency conflict (build failure), if the upgraded dulwich version introduces a higher version of urllib3, violating its another version constraint >=1.21.1,<1.26.

According to the release history of dulwich, it habitually upgrates Urllib3 in its recent releases. For instance, dulwich 0.19.10_1 upgrated Urllib3’s constraint from ==1.22 to >=1.23,and dulwich 0.19.12-1 upgrated Urllib3’s constraint from >=1.23 to >=1.24.1.

As such, it is a warm warning of a potential dependency conflict issue for inspire-schemas.

Dependency tree

inspire-schemas - 61.1.2
| +- autosemver(install version:0.5.3 version range:*)
| | +- dulwich(install version:0.19.15 version range:*)
| | | +- certifi(install version:2020.4.5.1 version range:*)
| | | +- urllib3(install version:1.25.9 version range:>=1.24.1)
| +- bleach(install version: version range:=3.0,>=3.1.0)
| +- idutils(install version:1.1.5 version range:*)
| | +- isbnid_fork(install version: version range:>=0.4.4)
| | +- six(install version:1.14.0 version range:>=1.10)
| +- inspire-utils(install version: version range:>=3.0.0,=3.0)
| +- isodate(install version:0.6.0 version range:*)
| | +- six(install version:1.14.0 version range:*)
| +- jsonschema(install version: version range:=2.0,>=2.6.0)
| +- pyyaml(install version:5.3.1 version range:*)
| +- rfc3987(install version:1.3.8 version range:*)
| +- six(install version:1.14.0 version range:*)
| +- unidecode(install version: version range:>=1.0.22,=1.0)
| +- urllib3(install version:1.25.9 version range:>=1.21.1,<1.26)

Thanks for your help.
Best,
Neolith
@NeolithEra
Copy link
Author

Suggested Solution

  1. Loosen the version range of urllib3 to be >=1.21.1.
  2. Remove your direct dependency urllib3, and use the urllib3 transitively introduced by dulwich.
    @michamos Which solution do you prefer, 1 or 2?
    Please let me know your choice. May I pull a request to solve this issue?

@NeolithEra
Copy link
Author

@drjova,Could you help me review this issue? Thx :p

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@NeolithEra