[question] Constant dependency conflicts even when I don't change libraries.

[instinkt900]

What is your question?

I have a project that pulls in a handful of libraries using conan. They all specify exact versions. ie.

    def requirements(self):
        self.requires("sdl/2.26.5")
        self.requires("sdl_image/2.0.5")
        self.requires("sdl_ttf/2.20.2")
        self.requires("nlohmann_json/3.11.2")
        ...

But every time I commit to my CI machine, conan will try to pull the libraries and complain that there are version conflicts. I'll fix the issue by explicitly providing overrides for these dependencies, ie. self.requires("libwebp/1.3.2", override=True) etc. which will allow the build to complete, then a week later I'll make another commit and there will be another library conflict.

I would have thought that these libraries I'm pulling in would mostly be unchanging since I'm pulling specific libraries, but it seems like these libraries are constantly changing their own dependencies which leads to me having to troubleshoot and figure out what versions to pull again.

Whats the point in having specific versions if the versioned library continually changes it's own dependencies? I'm spending just as much time debugging my conan builds as I am doing my own development.

Have you read the CONTRIBUTING guide?

• [X] I've read the CONTRIBUTING guide

[memsharded]

Hi @instinkt900

Thanks for your question. There are some reasons that packages in ConanCenter keep updating their dependencies to use the latest ones:

• Potential security issues. Typical use case is when depending on openssl, packages don't want to stay in an older version, so they upgrade.
• Improvements in dependencies, like better performance or fixed bugs.
• To avoid conflicts with other libraries. If some library like sdl depends on zlib/1.2.11, but then other packages in ConanCenter depend on zlib/1.3, that is going to cause conflicts. So the community keeps sending PR to update the recipes to try to align to the "latest" that works

The main issue is that the upgrade to libraries is done incrementally, one at a time, so it can take time until everything uses the latest dependencies, and conflicts happens in the meantime. We are taking several actions to improve this:

• We are gradually moving to version ranges in ConanCenter. That allows using the latest dependencies without causing conflicts, as soon as new dependencies versions are available. This is an ongoing effort, starting from some popular libs like openssl and zlib, but still much to do
• We are adding some CI jobs that daily check for potential version conflicts, so they can be prioritized to be fixed.

In any case, things are expected to evolve in ConanCenter, and that means that eventually it is possible to have some issues. There are a few things that are recommended from the user side, we have written them here: https://docs.conan.io/2/devops/using_conancenter.html. In short, to robustly use ConanCenter, it is recommended to use at least lockfiles (recommended Conan 2.0, lockfiles are way easier). Depending on the project requirements, it might be even recommended to store your own copy or your own binaries for your project dependencies in your own private server.

[memsharded]

Since this issue, we have also added the "local-recipes-index" feature to improve creating packages from a conan-center-index fork for the above mentioned increased robustness. Please check https://docs.conan.io/2/devops/devops_local_recipes_index.html

I am closing this ticket as responded, but please create new tickets for any further question you might have, thanks for the feedback.