Potential dependency conflicts between onespacemedia-cms and django

[NeolithEra]

Hi, as shown in the following full dependency graph of onespacemedia-cms, onespacemedia-cms requires django >=1.11,<2.3, onespacemedia-cms requires *_django-reversion _ (django-reversion 3.0.7 will be installed, i.e., the newest version satisfying the version constraint), and directed dependency django-reversion 3.0.7 transitively introduces django >=1.2.0,<1.3.0**.

Obviously, there are multiple version constraints set for django in this project. However, according to pip's “first found wins” installation strategy, django 2.2.12 (i.e., the newest version satisfying constraint >=1.11,<2.3) is the actually installed version.

Although the first found package version django 2.2.12 just satisfies the later dependency constraint （django >=1.11,<2.3), such installed version is very close to the upper bound of the version constraint of django specified by django-reversion 3.0.7.

Once django-reversion upgrades，its newest version will be installed, as onespacemedia-cms does not specify the upper bound of version constraint for django-reversion. Therefore, it will easily cause a dependency conflict (build failure), if the upgraded django-reversion version introduces a higher version of django, violating its another version constraint >=1.11,<2.3.

According to the release history of django-reversion, it habitually upgrates Django in its recent releases. For instance, django-reversion 1.10.2 upgrated Django’s constraint from >=1.7 to >=1.8, and django-reversion 3.0.1 upgrated Django’s constraint from >=1.8 to >=1.11.

As such, it is a warm warning of a potential dependency conflict issue for onespacemedia-cms.

Dependency tree

onespacemedia-cms - 4.4.5
| +- beautifulsoup4(install version:4.9.0 version range:*)
| | +- soupsieve(install version:2.0 version range:>1.2)
| | | +- backports.functools_lru_cache (install version: version range:*)
| +- django(install version:2.2.12 version range:>=1.11,<2.3)
| | +- pytz(install version:2019.3 version range:*)
| | +- sqlparse(install version:0.3.1 version range:*)
| +- django-historylinks(install version:1.1.1 version range:*)
| | +- django(install version:2.2.12 version range:>=1.7)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse(install version:0.3.1 version range:*)
| +- django-jinja(install version:2.4.1 version range:==2.4.1)
| | +- django (install version:3.0.5 version range:>=1.8)
| | | +- asgiref (install version: version range:=3.2)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse (install version:0.3.1 version range:>=0.2.2)
| | +- jinja2 (install version:2.11.2 version range:>=2.5)
| | | +- MarkupSafe(install version:2.0.0a1 version range:>=0.23)
| +- django-reversion(install version:3.0.7 version range:*)
| | +- django(install version:2.2.12 version range:>=1.11)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse(install version:0.3.1 version range:*)
| +- django-watson(install version:1.5.5 version range:*)
| +- jinja2(install version:2.10.1 version range:==2.10.1)
| | +- markupsafe(install version:2.0.0a1 version range:>=0.23)
| +- pillow(install version:7.1.1 version range:*)
| +- python-magic(install version:0.4.15 version range:*)
| +- python-magic(install version:0.4.15 version range:==0.4.15)
| +- requests(install version:2.23.0 version range:*)
| | +- certifi(install version:2020.4.5.1 version range:>=2017.4.17)
| | +- chardet(install version:3.0.4 version range:>=3.0.2,<4)
| | +- idna(install version:2.9 version range:>=2.5,<3)
| | +- urllib3(install version:1.25.9 version range:>=1.21.1,<1.26)
| +- sorl-thumbnail(install version:12.6.3 version range:*)
| +- tinypng(install version:3.0.0 version range:*)
| | +- docopt(install version:0.6.2 version range:>=0.6)
| | +- requests(install version:2.23.0 version range:>=2.0)
| | | +- certifi(install version:2020.4.5.1 version range:>=2017.4.17)
| | | +- chardet(install version:3.0.4 version range:>=3.0.2,<4)
| | | +- idna(install version:2.9 version range:>=2.5,<3)
| | | +- urllib3(install version:1.25.9 version range:>=1.21.1,<1.26)

Thanks for your help. Best, Neolith

[NeolithEra]

Suggested Solution

1. Loosen the version range of django to be >=2.2.12.
2. Remove your direct dependency django, and use the django transitively introduced by django-reversion.
3. Change your direct dependency django-reversion to be <=3.0.7. @etianen Which solution do you prefer, 1 ,2or 3? Please let me know your choice. May I pull a request to solve this issue?

[etianen]

Hi @NeolithEra. I no longer work at Onespacemedia, and this repo is a fork of my original (and now unmaintained) etianen-cms.

Hopefully the folks at Onespacemedia who maintain this fork will get back to you soon. I'm unsubscribing from this issue, as I'm not the person to ask, but I wanted you to know that I'm not ignoring your mention. :)