Potential dependency conflicts between marathon-lb and urllib3

[NeolithEra]

Hi, marathon-lb directly and transitively introduced multiple versions of urllib3.

As shown in the following full dependency graph of marathon-lb, marathon-lb requires urllib3 (the latest version), while the installed version of requests(2.22.0) requires urllib3>=1.21.1,<1.26.

According to pip's “first found wins” installation strategy, urllib3 1.25.3 is the actually installed version.

Although the first found package version urllib3 1.25.3 just satisfies the later dependency constraint (urllib3>=1.21.1,<1.26), it will lead to a build failure once developers release a newer version of urllib3.

Dependency tree--------

marathon-lb(version range:)
| +-cryptography(version range:)
| +-pycurl(version range:)
| +-pyjwt(version range:==1.4.0)
| +-python-dateutil(version range:)
| +-requests(version range:)
| | +-chardet(version range:>=3.0.2,<3.1.0)
| | +-idna(version range:>=2.5,<2.9)
| | +-urllib3(version range:>=1.21.1,<1.26)
| | +-certifi(version range:>=2017.4.17)
| +-six(version range:)
| +-urllib3(version range:) 

Thanks for your attention. Best, Neolith

[NeolithEra]

Solution

1. Fix your direct dependencies to be urllib3>=1.21.1,<1.26 and requests==2.22.0, to remove this conflict. I have checked this revision will not affect your downstream projects now.

2. Remove your direct dependency urllib3, and use urllib3 transitively introduced by request.

@brndnmtthws Please let me know your choice. I can submit a PR to solve this issue. Build a good dependency ecosystem for python projects is our common goal ^_^.