pipgrip selects yanked verison

[tekumara]

What you were trying to do (and why)

pipgrip prefect will select 2.82 which has been yanked.

What happened (including command output)

Command output

```console $ pipgrip prefect prefect==2.82 aiosqlite==0.19.0 alembic==1.11.2 mako==1.2.4 markupsafe==2.1.3 sqlalchemy==1.4.49 typing-extensions==4.7.1 anyio==3.7.1 exceptiongroup==1.1.2 idna==3.4 sniffio==1.3.0 apprise==1.4.5 certifi==2023.7.22 click==8.1.6 markdown==3.4.4 pyyaml==6.0.1 requests==2.31.0 charset-normalizer==3.2.0 urllib3==2.0.4 requests-oauthlib==1.3.1 oauthlib==3.2.2 asgi-lifespan==2.1.0 asyncpg==0.28.0 cloudpickle==2.2.1 coolname==2.2.0 croniter==1.4.1 python-dateutil==2.8.2 six==1.16.0 cryptography==41.0.3 cffi==1.15.1 pycparser==2.21 dateparser==1.1.8 pytz==2023.3 regex==2023.8.8 tzlocal==5.0.1 docker==6.1.3 packaging==23.1 websocket-client==1.6.1 fastapi==0.101.0 pydantic==2.1.1 annotated-types==0.5.0 pydantic-core==2.4.0 starlette==0.27.0 fsspec==2023.6.0 griffe==0.32.3 colorama==0.4.6 httpx==0.24.1 h2==4.1.0 hpack==4.0.0 hyperframe==6.0.1 httpcore==0.17.3 h11==0.14.0 jinja2==3.1.2 jsonpatch==1.33 jsonpointer==2.4 jsonschema==4.19.0 attrs==23.1.0 jsonschema-specifications==2023.7.1 referencing==0.30.2 rpds-py==0.9.2 kubernetes==27.2.0 google-auth==2.17.3 cachetools==5.3.1 pyasn1-modules==0.3.0 pyasn1==0.5.0 rsa==4.9 orjson==3.9.4 pathspec==0.11.2 pendulum==2.1.2 pytzdata==2020.1 python-slugify==8.0.1 text-unidecode==1.3 readchar==4.0.5 setuptools==68.0.0 rich==13.5.2 markdown-it-py==3.0.0 mdurl==0.1.2 pygments==2.16.1 greenlet==2.0.2 toml==0.10.2 typer==0.9.0 uvicorn==0.23.2 websockets==11.0.3 ``` ``` $ pip install prefect==2.82 ... WARNING: The candidate selected for download or install is a yanked version: 'prefect' candidate (version 2.82 at https://files.pythonhosted.org/packages/16/e3/4ac0b6e214e4fb315d2032e176eaa33c175e29ff182fe48ac1cabccb30bc/prefect-2.82-py3-none-any.whl (from https://pypi.org/simple/prefect/) (requires-python:>=3.7)) Reason for being yanked: Version number was supposed to be "2.8.2" ```

What you expected to happen

Yanked versions are ignored

Step-by-step reproduction instructions

pipgrip==0.10.7

[ddelange]

Hi @tekumara 👋

Thanks for the report. It looks like this is an upstream bug. Somehow this output includes the yanked version:

$ pip install prefect==none
ERROR: Could not find a version that satisfies the requirement prefect==none (from versions: 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.13.7, 0.13.8, 0.13.9, 0.13.10, 0.13.11, 0.13.12, 0.13.13, 0.13.14, 0.13.15, 0.13.16, 0.13.17, 0.13.18, 0.13.19, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.14.6, 0.14.7, 0.14.8, 0.14.9, 0.14.10, 0.14.11, 0.14.12, 0.14.13, 0.14.14, 0.14.15, 0.14.16, 0.14.17, 0.14.18, 0.14.19, 0.14.20, 0.14.21, 0.14.22, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.15.8, 0.15.9, 0.15.10, 0.15.11, 0.15.12, 0.15.13, 1.0rc1, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0a1, 2.0a2, 2.0a3, 2.0a4, 2.0a5, 2.0a6, 2.0a7, 2.0a8, 2.0a9, 2.0a10, 2.0a11, 2.0a12, 2.0a13, 2.0b1, 2.0b2, 2.0b3, 2.0b4, 2.0b5, 2.0b6, 2.0b7, 2.0b8, 2.0b9, 2.0b10, 2.0b11, 2.0b12, 2.0b13, 2.0b14, 2.0b15, 2.0b16, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.9.0, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.10.8, 2.10.9, 2.10.10, 2.10.11, 2.10.12, 2.10.13, 2.10.14, 2.10.15, 2.10.16, 2.10.17, 2.10.18, 2.10.19, 2.10.20, 2.10.21, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.82)

[ddelange]

Yep, it was reported upstream: https://github.com/pypa/pip/issues/11745

[tekumara]

Oh interesting, thanks for looking into this.

One slight difference i've noticed is that pip install prefect~=2.11 will install prefect 2.11.3, but pipgrip prefect~=2.11 will pick prefect 2.82 (the yanked version)

[ddelange]

Yeah, that's expected behaviour if the yanked versions show up in the from versions: message, pipgrip relies on it to build the resolution space...

[ddelange]

I opened a PR to fix it: https://github.com/pypa/pip/pull/12225

[ddelange]

Upstream fix is merged. Thanks for the report!