search

claranet / boto-source-profile-mfa

AWS boto helper library for reusing MFA tokens in profiles with the same source profile
MIT License
1 stars 1 forks source link

Potential dependency conflicts between boto-source-profile-mfa and botocore #2

Open NeolithEra opened 4 years ago

NeolithEra commented 4 years ago

Hi, as shown in the following full dependency graph of boto-source-profile-mfa, boto-source-profile-mfa requires botocore (the latest version), while the installed version of boto3 (0.9.1) requires botocore>=1.15.39,<1.16.0.

According to Pip's “first found wins” installation strategy, botocore 1.15.39 is the actually installed version.

Although the first found package version botocore 1.15.39 just satisfies the later dependency constraint (botocore>=1.15.39,<1.16.0), it will lead to a build failure once developers release a newer version of botocore.

Dependency tree--------


boto-source-profile-mfa - 0.0.11
| +- boto3(install version:1.12.39 version range:*)
| | +- botocore(install version:1.15.39 version range:>=1.15.39,<1.16.0)
| | | +- docutils(install version:0.15.2 version range:>=0.10,<0.16)
| | | +- jmespath(install version:0.10.0 version range:>=0.7.1,<1.0.0)
| | | +- python-dateutil(install version:2.8.1 version range:>=2.1,<3.0.0)
| | | +- urllib3(install version:1.25.9 version range:>=1.20,<1.26)
| | +- jmespath(install version:0.10.0 version range:>=0.7.1,<1.0.0)
| | +- s3transfer(install version:0.3.3 version range:>=0.3.0,<0.4.0)
| | | +- botocore(install version:1.15.39 version range:>=1.12.36,<2.0a.0)
| | | | +- docutils(install version:0.15.2 version range:>=0.10,<0.16)
| | | | +- jmespath(install version:0.10.0 version range:>=0.7.1,<1.0.0)
| | | | +- python-dateutil(install version:2.8.1 version range:>=2.1,<3.0.0)
| | | | +- urllib3(install version:1.25.9 version range:>=1.20,<1.26)
| +- botocore(install version:1.15.39 version range:*)
| | +- docutils(install version:0.15.2 version range:>=0.10,<0.16)
| | +- jmespath(install version:0.10.0 version range:>=0.7.1,<1.0.0)
| | +- python-dateutil(install version:2.8.1 version range:>=2.1,<3.0.0)
| | +- urllib3(install version:1.25.9 version range:>=1.20,<1.26)```

Thanks for your attention.
Best,
Neolith
NeolithEra commented 4 years ago

Solution

  1. Loosen the version range of botocore to be <1.16.0.
  2. Remove your direct dependency botocore, and use the botocore transitively introduced by boto3 .
  3. Ask your direct dependency boto3 to loosen the version range of botocore to be >=1.15.39. @raymondbutcher Which solution do you prefer, 1 ,2 or 3? Please let me know your choice. May I pull a request to solve this issue?
raymondbutcher commented 4 years ago

Hi @NeolithEra,

boto-source-profile-mfa requires botocore (the latest version)

Are you sure that's right? It doesn't specify any version in setup.py.

https://github.com/claranet/boto-source-profile-mfa/blob/c789cc01fccf9014862ae64ee36895b1458c0237/setup.py#L21-L24