search

bitwarden / passwordless-python

Bitwarden Passwordless.dev Python SDK.
https://bitwarden.com/
Apache License 2.0
18 stars 3 forks source link

Fixing issue with pinned versions of the dependencies of the package #42

Closed antonlydell closed 2 months ago

antonlydell commented 6 months ago

Description

In release 1.0.0 the requirements of the package have changed to pinned versions from caret (^) versions. This means that installing passwordless version 1.0.0 requires you to have Python 3.8.18 installed otherwise the installation will fail. In release 0.1.1 the dependency definition was as follows:

[tool.poetry.dependencies]
python = "^3.8"
passwordless = "^0"
flask = "^2"
flasgger = "^0"
flask-marshmallow = "^0"

I propose a change to ">=" versions rather than caret to avoid unnecessary package lock-in effects if there are no known breaking changes in the next major versions of the dependencies. This also aligns with "better ask for forgiveness rather than permission". If a breaking change is found in a next major version of a dependency, then this issue will likely be found faster and fixed. In worst case, if no fix is available, a new version with a "<" version requirement can be released.

You can decide if you want to also update your test requirements in the same manner.

Proposed change

[tool.poetry.dependencies]
python = ">=3.8"
requests = ">=2.31"
marshmallow = ">=3.21"
python-dateutil = ">=2.9"

Steps to reproduce

  1. Install a version of Python >= 3.8.18

  2. Run the command pip install passwordless==1.0.0 or python -m pip install passwordless==1.0.0

Example

(test_passwordless) $ python --version
Python 3.12.2
(test_passwordless) $ pip install passwordless==1.0.0
ERROR: Ignored the following versions that require a different python version: 1.0.0 Requires-Python ==3.8.18
ERROR: Could not find a version that satisfies the requirement passwordless==1.0.0 (from versions: 0.1.0, 0.1.1)
ERROR: No matching distribution found for passwordless==1.0.0
CLAassistant commented 6 months ago

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

WaciX commented 6 months ago

You are right, the range would fix the issue for the python version. But the bug would come back a release later, as this issue is caused by renovate version pinning, which at the moment changes the ranges to exact equal version. This is not intended, i will have to look into that.

In the meantime i think it might be better to just revert the version pinning completely and re-release version 1.0.1 (since you cannot rollback release on pypi).

antonlydell commented 6 months ago

Ok, sounds good. I do not see the point in restricting the next major version of the dependencies for a library. Could renovate be configured to use ">="?

abergs commented 2 months ago

@WaciX Could you elaborate on what we need to do here?

mzieniukbw commented 2 months ago

@abergs This have been fully addressed with different PR's, I will be close it.