inspirehep / inspire-schemas

Inspire JSON schemas and utilities to use them.
GNU General Public License v2.0
8 stars 26 forks source link

Potential dependency conflicts between inspire-schemas and urllib3 #395

Open NeolithEra opened 4 years ago

NeolithEra commented 4 years ago

Hi, as shown in the following full dependency graph of inspire-schemas, inspire-schemas requires urllib3 >=1.21.1,<1.26, autosemver requires *_dulwich _ (dulwich 0.19.15 will be installed, i.e., the newest version satisfying the version constraint), and dependency dulwich 0.19.15 transitively introduces urllib3 >=1.24.1**.

Obviously, there are multiple version constraints set for urllib3 in this project. However, according to pip's “first found wins” installation strategy, urllib3 1.25.9 (i.e., the newest version satisfying constraint >=1.21.1,<1.26) is the actually installed version.

Although the first found package version urllib3 1.25.9 just satisfies the later dependency constraint (urllib3 >=1.21.1,<1.26), such installed version is very close to the upper bound of the version constraint of urllib3 specified by dulwich 0.19.15.

Once dulwich upgrades,its newest version will be installed, as inspire-schemas does not specify the upper bound of version constraint for dulwich. Therefore, it will easily cause a dependency conflict (build failure), if the upgraded dulwich version introduces a higher version of urllib3, violating its another version constraint >=1.21.1,<1.26.

According to the release history of dulwich, it habitually upgrates Urllib3 in its recent releases. For instance, dulwich 0.19.101 upgrated Urllib3’s constraint from **==1.22 to >=1.23,and dulwich 0.19.12-1 upgrated Urllib3’s constraint from >=1.23 to >=1.24.1_**.

As such, it is a warm warning of a potential dependency conflict issue for inspire-schemas.

Dependency tree

inspire-schemas - 61.1.2
| +- autosemver(install version:0.5.3 version range:*)
| | +- dulwich(install version:0.19.15 version range:*)
| | | +- certifi(install version:2020.4.5.1 version range:*)
| | | +- urllib3(install version:1.25.9 version range:>=1.24.1)
| +- bleach(install version: version range:=3.0,>=3.1.0)
| +- idutils(install version:1.1.5 version range:*)
| | +- isbnid_fork(install version: version range:>=0.4.4)
| | +- six(install version:1.14.0 version range:>=1.10)
| +- inspire-utils(install version: version range:>=3.0.0,=3.0)
| +- isodate(install version:0.6.0 version range:*)
| | +- six(install version:1.14.0 version range:*)
| +- jsonschema(install version: version range:=2.0,>=2.6.0)
| +- pyyaml(install version:5.3.1 version range:*)
| +- rfc3987(install version:1.3.8 version range:*)
| +- six(install version:1.14.0 version range:*)
| +- unidecode(install version: version range:>=1.0.22,=1.0)
| +- urllib3(install version:1.25.9 version range:>=1.21.1,<1.26)

Thanks for your help. Best, Neolith

NeolithEra commented 4 years ago

Suggested Solution

  1. Loosen the version range of urllib3 to be >=1.21.1.
  2. Remove your direct dependency urllib3, and use the urllib3 transitively introduced by dulwich. @michamos Which solution do you prefer, 1 or 2? Please let me know your choice. May I pull a request to solve this issue?
NeolithEra commented 4 years ago

@drjova,Could you help me review this issue? Thx :p