anyio: pip dependencies for prefect-client do not match requirements-client.txt

jeffrose-relay commented 1 month ago

First check

[X] I added a descriptive title to this issue.
[X] I used the GitHub search to find a similar issue and didn't find it.
[X] I searched the Prefect documentation for this issue.
[X] I checked that this issue is related to Prefect and not one of its dependencies.

Bug summary

When I look at https://github.com/PrefectHQ/prefect/blob/main/requirements-client.txt, I see the dependencies listed for anyio are: anyio >= 4.0.0, < 5.0.0

However, when I install version 2.19.8 of prefect-client, it shows the dependencies for anyio as the following: anyio<4.0.0,>=3.7.1

I am not sure if there is a bug or if I am misundestanding the purpose of the requirements-client.txt file? Thanks

Reproduction

# bash code
python3.11 -m venv venv

source venv/bin/activate

pip install prefect-client

python

#python code
from pip._vendor import pkg_resources
_package_name = 'prefect-client'
_package = pkg_resources.working_set.by_key[_package_name]
print([str(r) for r in _package.requires()])

#output
['anyio<4.0.0,>=3.7.1', 'asgi-lifespan<3.0,>=1.0', 'cachetools<6.0,>=5.3', 'cloudpickle<4.0,>=2.0', 'coolname<3.0.0,>=1.0.4', 'croniter<3.0.0,>=1.0.12', 'fsspec>=2022.5.0', 'graphviz>=0.20.1', 'griffe>=0.20.0', 'httpcore<2.0.0,>=1.0.5', 'httpx[http2]!=0.23.2,>=0.23', 'importlib-resources<6.2.0,>=6.1.3', 'jsonpatch<2.0,>=1.32', 'jsonschema<5.0.0,>=4.0.0', 'orjson<4.0,>=3.7', 'packaging<24.3,>=21.3', 'pathspec>=0.8.0', 'pydantic[email]!=2.0.0,!=2.0.1,!=2.1.0,<3.0.0,>=1.10.0', 'pydantic-core<3.0.0,>=2.12.0', 'python-dateutil<3.0.0,>=2.8.2', 'python-slugify<9.0,>=5.0', 'pyyaml<7.0.0,>=5.4.1', 'rfc3339-validator<0.2.0,>=0.1.4', 'rich<14.0,>=11.0', 'ruamel.yaml>=0.17.0', 'sniffio<2.0.0,>=1.3.0', 'toml>=0.10.0', 'typing-extensions<5.0.0,>=4.5.0', 'ujson<6.0.0,>=5.8.0', 'uvicorn!=0.29.0,>=0.14.0', 'websockets<13.0,>=10.4', 'itsdangerous', 'python-multipart>=0.0.7', 'pendulum<3.0; python_version < "3.12"']

Error

No response

Versions (`prefect version` output)

2.19.8

Additional context

There is a security vulnerability in all versions of anyio prior to 4.4.0. This is why I am looking into this in the first place.

aaazzam commented 1 month ago

👋 @jeffrose-relay

Thanks for reporting this! The discrepancy you're seeing is because our main branch is where we're developing the 3.X branch of Prefect. We release 2.X patches (including prefect-client) from https://github.com/PrefectHQ/prefect/tree/2.x , where you'll see the anyio pin.

There's currently a release candidate for 3.X that we're soliciting feedback from folks (like you!) -- you can install it by allowing prereleases in pip.

Prefect 3.X is compatible with anyio > 4, but I'm afraid Prefect 2.X will only be compatible with anyio < 4.

jeffrose-relay commented 1 month ago

Thanks @aaazzam! This answers my question completely and I will close this out.

PrefectHQ / prefect