search

mims-harvard / TDC

Therapeutics Commons (TDC-2): Multimodal Foundation for Therapeutic Science
https://tdcommons.ai
MIT License
983 stars 173 forks source link

Overwritten versions on PyPI #308

Closed basiekjusz closed 3 weeks ago

basiekjusz commented 3 weeks ago

Describe the bug New published version of PyTDC 1.0.6 has replaced old 1.0.6. This causes stability issues with the projects depending on this package, as right now I'm dealing with inconsistent digest of the package within the poetry.lock file and dependencies conflicts in the project I'm maintaining.

I can see that 1.0.6 has been replaced a couple of hours ago in PyPI.

To Reproduce Steps to reproduce the behavior:

  1. Installing pytdc==1.0.6 a couple of days ago resulted in different package version installed today.

Expected behavior Each release of the package in PyPI should result in new version tag, as projects that depend on PyTDC suffer from such invisible changes.

Screenshots If applicable, add screenshots to help explain your problem.

Environment:

Additional context I'm using Poetry that manages packages and notifies me if there are issues with packages hashes. Thanks to that I was able to notice this change.

amva13 commented 3 weeks ago

Hi @basiekjusz . You are correct. This should have been a new version. For reasons we cannot disclose, the version 1.0.6 you've mentioned was deleted and will no longer be available. As such, even if we move the files for current 1.0.6 to, say, 1.0.7, we would not restore 1.0.6 as it was before this change. You will need to use a version with files present on PyPI. Current 1.0.6 is one such version.

amva13 commented 3 weeks ago

The digest is expected to be inconsistent given what I've outlined. Changing your poetry.lock to point to the new 1.0.6 digest should be stable moving forward, as we've always maintained standard behavior for package versioning. In this case, your poetry lock would have had to be updated either way, because previous 1.0.6 with the matching digest will not be made available.

amva13 commented 3 weeks ago

self-assigned and will close at later point if no further issues/questions

basiekjusz commented 3 weeks ago

Yeah, I know that's why the digest is different. I meant that it made me easy to find out what happened. Can you let me know whether such occasions will happen again? I regularly rebuild images depending on your package, and events like this one greatly reduce stability, repeatability and trust 😞 New version made me manually resolve dependency conflicts and that's PITA.

amva13 commented 3 weeks ago

sorry for your problem! we hope to not run into a situation where we have to do something like this again.