search

SlapBot / stephanie-va

Stephanie is an open-source platform built specifically for voice-controlled applications as well as to automate daily tasks imitating much of an virtual assistant's work.
https://slapbot.github.io/
MIT License
799 stars 127 forks source link

Potential dependency conflicts between stephanie-va and urllib3 #49

Open NeolithEra opened 5 years ago

NeolithEra commented 5 years ago

Hi, stephanie-va directly and transitively introduced multiple versions of urllib3.

As shown in the following full dependency graph of stephanie-va, stephanie-va requires urllib3 (the latest version), while the installed version of requests(2.22.0) requires urllib3>=1.21.1,<1.26.

According to Pip's “first found wins” installation strategy, urllib3 1.25.3 is the actually installed version.

Although the first found package version urllib3 1.25.3 just satisfies the later dependency constraint (urllib3>=1.21.1,<1.26), it will lead to a build failure once developers release a newer version of urllib3.

Dependency tree--------

stephanie-va(version range:)
| +-apiclient(version range:)
| | +-urllib3(version range:)
| | +-certifi(version range:)
| +-evernote3(version range:)
| +-eyed3(version range:)
| +-facebook-sdk(version range:)
| +-gtts(version range:)
| +-gtts-token(version range:)
| | +-requests(version range:)
| | | +-chardet(version range:>=3.0.2,<3.1.0)
| | | +-idna(version range:>=2.5,<2.9)
| | | +-urllib3(version range:>=1.21.1,<1.26)
| | | +-certifi(version range:>=2017.4.17)
| +-httplib2(version range:)
| +-metaphone(version range:)
| +-newsapi(version range:)
| +-oauth2client(version range:)
| | +-httplib2(version range:>=0.9.1)
| | +-pyasn1(version range:>=0.1.7)
| | +-pyasn1-modules(version range:>=0.0.5)
| | +-rsa(version range:>=3.1.4)
| | +-six(version range:>=1.6.1)
| +-omdb(version range:)
| +-psutil(version range:)
| +-pyaudio(version range:)
| +-pyball(version range:)
| +-pydispatcher(version range:)
| +-pygame(version range:)
| +-pyowm(version range:)
| | +-requests(version range:>=2.20.0,<3)
| | | +-chardet(version range:>=3.0.2,<3.1.0)
| | | +-idna(version range:>=2.5,<2.9)
| | | +-urllib3(version range:>=1.21.1,<1.26)
| | | +-certifi(version range:>=2017.4.17)
| | +-geojson(version range:>=2.3.0,<3)
| +-python-dateutil(version range:)
| +-python-magic-bin(version range:==0.4.14)
| +-pytz(version range:)
| +-requests(version range:)
| | +-chardet(version range:>=3.0.2,<3.1.0)
| | +-idna(version range:>=2.5,<2.9)
| | +-urllib3(version range:>=1.21.1,<1.26)
| | +-certifi(version range:>=2017.4.17)
| +-soccerpy(version range:)
| +-sounder(version range:)
| +-speechrecognition(version range:)
| +-tweepy(version range:)
| | +-PySocks(version range:>=1.5.7)
| | +-requests(version range:>=2.11.1)
| | | +-chardet(version range:>=3.0.2,<3.1.0)
| | | +-idna(version range:>=2.5,<2.9)
| | | +-urllib3(version range:>=1.21.1,<1.26)
| | | +-certifi(version range:>=2017.4.17)
| | +-requests_oauthlib(version range:>=0.7.0)
| | +-six(version range:>=1.10.0)
| +-urllib3(version range:)

Thanks for your attention. Best, Neolith

NeolithEra commented 5 years ago

Solution

  1. Fix your direct dependencies to be urllib3>=1.21.1,<1.26 and requests==2.22.0, to remove this conflict. I have checked this revision will not affect your downstream projects now.

  2. Remove your direct dependency urllib3, and use urllib3 transitively introduced by request.

@SlapBot Please let me know your choice. I can submit a PR to solve this issue. Build a good dependency ecosystem for python projects is our common goal ^_^.