Closed NeolithEra closed 4 years ago
Thanks @NeolithEra for reporting. All the modules you mention are under our control, and when we're out of the development phase, InvenioRDM will control the dependencies via Invenio releases, which locks all related modules to their patch-level release. Thus, this is not something we will fix at this stage of the development. Thanks though for the offer to make a PR, it's much appreciated!
Hi, as shown in the following full dependency graph of invenio-rdm-records, invenio-rdm-records requires invenio-records-files >=1.2.1,<1.3.0, invenio-rdm-records requires invenio-records-permissions >=0.7.0 (invenio-records-permissions 0.7.0 will be installed, i.e., the newest version satisfying the version constraint), and directed dependency invenio-records-permissions 0.7.0 transitively introduces invenio-records-files >=1.2.0,<1.3.0.
Obviously, there are multiple version constraints set for invenio-records-files in this project. However, according to pip's “first found wins” installation strategy, invenio-records-files 1.2.1 (i.e., the newest version satisfying constraint >=1.2.1,<1.3.0) is the actually installed version.
Although the first found package version invenio-records-files 1.2.1 just satisfies the later dependency constraint (invenio-records-files >=1.2.1,<1.3.0), such installed version is very close to the upper bound of the version constraint of invenio-records-files specified by invenio-records-permissions 0.7.0.
Once invenio-records-permissions upgrades,its newest version will be installed, as invenio-rdm-records does not specify the upper bound of version constraint for invenio-records-permissions. Therefore, it will easily cause a dependency conflict (build failure), if the upgraded invenio-records-permissions version introduces a higher version of invenio-records-files, violating its another version constraint >=1.2.1,<1.3.0.
According to the release history of invenio-records-permissions, it habitually upgrates Invenio-records-files in its recent releases. For instance, invenio-records-permissions 0.7.0 upgrated Invenio-records-files’s constraint from * to ==1.1. , and invenio-records-permissions 0.7.1 upgrated Invenio-records-files’s constraint from ==1.1.1 to >=1.2.0,<1.3.0.
As such, it is a warm warning of a potential dependency conflict issue for invenio-rdm-records.
Dependency tree
Thanks for your help. Best, Neolith