Hi, as shown in the following full dependency graph of inspire-schemas, inspire-schemas requires urllib3 >=1.21.1,<1.26, autosemver requires *_dulwich _ (dulwich 0.19.15 will be installed, i.e., the newest version satisfying the version constraint), and dependency dulwich 0.19.15 transitively introduces urllib3 >=1.24.1**.
Obviously, there are multiple version constraints set for urllib3 in this project. However, according to pip's “first found wins” installation strategy, urllib3 1.25.9 (i.e., the newest version satisfying constraint >=1.21.1,<1.26) is the actually installed version.
Although the first found package version urllib3 1.25.9 just satisfies the later dependency constraint (urllib3 >=1.21.1,<1.26), such installed version is very close to the upper bound of the version constraint of urllib3 specified by dulwich 0.19.15.
Once dulwich upgrades,its newest version will be installed, as inspire-schemas does not specify the upper bound of version constraint for dulwich. Therefore, it will easily cause a dependency conflict (build failure), if the upgraded dulwich version introduces a higher version of urllib3, violating its another version constraint >=1.21.1,<1.26.
According to the release history of dulwich, it habitually upgrates Urllib3 in its recent releases. For instance, dulwich 0.19.101 upgrated Urllib3’s constraint from **==1.22 to >=1.23,and dulwich 0.19.12-1 upgrated Urllib3’s constraint from >=1.23 to >=1.24.1_**.
As such, it is a warm warning of a potential dependency conflict issue for inspire-schemas.
Dependency tree
inspire-schemas - 61.1.2
| +- autosemver(install version:0.5.3 version range:*)
| | +- dulwich(install version:0.19.15 version range:*)
| | | +- certifi(install version:2020.4.5.1 version range:*)
| | | +- urllib3(install version:1.25.9 version range:>=1.24.1)
| +- bleach(install version: version range:=3.0,>=3.1.0)
| +- idutils(install version:1.1.5 version range:*)
| | +- isbnid_fork(install version: version range:>=0.4.4)
| | +- six(install version:1.14.0 version range:>=1.10)
| +- inspire-utils(install version: version range:>=3.0.0,=3.0)
| +- isodate(install version:0.6.0 version range:*)
| | +- six(install version:1.14.0 version range:*)
| +- jsonschema(install version: version range:=2.0,>=2.6.0)
| +- pyyaml(install version:5.3.1 version range:*)
| +- rfc3987(install version:1.3.8 version range:*)
| +- six(install version:1.14.0 version range:*)
| +- unidecode(install version: version range:>=1.0.22,=1.0)
| +- urllib3(install version:1.25.9 version range:>=1.21.1,<1.26)
Loosen the version range of urllib3 to be >=1.21.1.
Remove your direct dependency urllib3, and use the urllib3 transitively introduced by dulwich.
@michamos Which solution do you prefer, 1 or 2?
Please let me know your choice. May I pull a request to solve this issue?
Hi, as shown in the following full dependency graph of inspire-schemas, inspire-schemas requires urllib3 >=1.21.1,<1.26, autosemver requires *_dulwich _ (dulwich 0.19.15 will be installed, i.e., the newest version satisfying the version constraint), and dependency dulwich 0.19.15 transitively introduces urllib3 >=1.24.1**.
Obviously, there are multiple version constraints set for urllib3 in this project. However, according to pip's “first found wins” installation strategy, urllib3 1.25.9 (i.e., the newest version satisfying constraint >=1.21.1,<1.26) is the actually installed version.
Although the first found package version urllib3 1.25.9 just satisfies the later dependency constraint (urllib3 >=1.21.1,<1.26), such installed version is very close to the upper bound of the version constraint of urllib3 specified by dulwich 0.19.15.
Once dulwich upgrades,its newest version will be installed, as inspire-schemas does not specify the upper bound of version constraint for dulwich. Therefore, it will easily cause a dependency conflict (build failure), if the upgraded dulwich version introduces a higher version of urllib3, violating its another version constraint >=1.21.1,<1.26.
According to the release history of dulwich, it habitually upgrates Urllib3 in its recent releases. For instance, dulwich 0.19.101 upgrated Urllib3’s constraint from **==1.22 to >=1.23,and dulwich 0.19.12-1 upgrated Urllib3’s constraint from >=1.23 to >=1.24.1_**.
As such, it is a warm warning of a potential dependency conflict issue for inspire-schemas.
Dependency tree
Thanks for your help. Best, Neolith