Potential dependency conflicts between tendenci and django

[NeolithEra]

Hi, as shown in the following full dependency graph of tendenci, tendenci requires django >=2.2.12,<3.0, tendenci requires django-formtools >=1.0 (django-formtools 2.2 will be installed, i.e., the newest version satisfying the version constraint), and directed dependency django-formtools 2.2 transitively introduces django >=1.11.

Obviously, there are multiple version constraints set for django in this project. However, according to pip's “first found wins” installation strategy, django 2.2.12 (i.e., the newest version satisfying constraint >=2.2.12,<3.0) is the actually installed version.

Although the first found package version django 2.2.12 just satisfies the later dependency constraint （django >=2.2.12,<3.0), such installed version is very close to the upper bound of the version constraint of django specified by django-formtools 2.2.

Once django-formtools upgrades，its newest version will be installed, as tendenci does not specify the upper bound of version constraint for django-formtools. Therefore, it will easily cause a dependency conflict (build failure), if the upgraded django-formtools version introduces a higher version of django, violating its another version constraint >=2.2.12,<3.0.

According to the release history of django-formtools, it habitually upgrates Django in its recent releases. For instance, django-formtools 2.2 upgrated Django’s constraint from >=1.7 to >=1.8, and django-formtools 2.2 upgrated Django’s constraint from >=1.8 to >=1.11.

As such, it is a warm warning of a potential dependency conflict issue for tendenci.

Dependency tree

tendenci  - 12.0.7
| +- anyjson(install version:0.3.3 version range:>=0.2.4)
| +- beautifulsoup4(install version:4.8.2 version range:==4.8.2)
| | +- soupsieve(install version:2.0 version range:>=1.2)
| | | +- backports.functools_lru_cache (install version: version range:*)
| +- bleach(install version:3.1.4 version range:>=3.1.4)
| | +- six(install version:1.14.0 version range:>=1.9.0)
| | +- webencodings(install version:0.5.1 version range:*)
| +- boto3(install version:1.12.8 version range:==1.12.8)
| | +- botocore(install version:1.15.49 version range:>=1.15.8,<1.16.0)
| | +- jmespath(install version:0.10.0 version range:>=0.7.1,<1.0.0)
| | +- s3transfer(install version:0.3.3 version range:>=0.3.0,<0.4.0)
| | | +- botocore(install version:1.15.49 version range:>=1.12.36,<2.0a.0)
| +- celery(install version:4.4.0 version range:==4.4.0)
| +- chardet(install version:3.0.4 version range:==3.0.4)
| +- configparser(install version:5.0.0 version range:*)
| +- createsend(install version:4.2.7 version range:==4.2.7)
| | +- six(install version:1.14.0 version range:>=1.10)
| +- dj-pagination(install version:2.4.0 version range:>=2.3.0)
| +- Django(install version:2.2.12 version range:>=2.2.12,<3.0)
| | +- pytz(install version:2019.3 version range:*)
| | +- sqlparse(install version:0.3.1 version range:*)
| +- django-annoying(install version:0.10.6 version range:*)
| | +- django(install version:2.2.12 version range:>=1.11)
| | | +- asgiref (install version: version range:=3.2)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse (install version:0.3.1 version range:>=0.2.2)
| | +- six(install version:1.14.0 version range:*)
| +- django-app-namespace-template-loader(install version:0.4 version range:==0.4)
| | +- six(install version:1.14.0 version range:*)
| +- django-authority(install version:0.14 version range:>=0.4)
| | +- django(install version:2.2.12 version range:*)
| | | +- asgiref (install version: version range:=3.2)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse (install version:0.3.1 version range:>=0.2.2)
| +- django-bootstrap-form(install version:3.4 version range:>=3.1,<4)
| | +- django(install version:2.2.12 version range:>=1.5)
| | | +- asgiref (install version: version range:=3.2)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse (install version:0.3.1 version range:>=0.2.2)
| +- django-bootstrap3(install version:12.0.3 version range:==12.0.3)
| | +- autoflake(install version:1.3.1 version range:==1.3.1)
| | +- black(install version:19.10b0 version range:*)
| | | +- appdirs(install version:1.4.3 version range:*)
| | | +- attrs(install version:19.3.0 version range:>=18.1.0)
| | | +- click(install version:7.1.1 version range:>=6.5)
| | | +- pathspec(install version:0.8.0 version range:>=0.6,<1)
| | | +- regex(install version:2020.4.4 version range:*)
| | | +- toml(install version:0.10.0 version range:>=0.9.4)
| | | +- typed-ast(install version:1.4.1 version range:>=1.4.0)
| | +- coverage(install version:5.0 version range:==5.0)
| | +- django(install version:2.2.12 version range:==2.2.12)
| | +- docformatter(install version:1.3.1 version range:==1.3.1)
| | | +- untokenize(install version:0.1.1 version range:*)
| | +- flake8(install version:3.7.9 version range:==3.7.9)
| | +- isort(install version:4.3.21 version range:==4.3.21)
| | | +- backports-functools-lru-cache(install version:1.6.1 version range:*)
| | | +- futures(install version:3.3.0 version range:*)
| | +- pur(install version:5.3.0 version range:==5.3.0)
| | | +- click(install version:7.1.1 version range:>=0.7)
| | +- pydocstyle(install version:5.0.1 version range:==5.0.1)
| | | +- snowballstemmer(install version:2.0.0 version range:*)
| | +- tox(install version:3.14.2 version range:==3.14.2)
| | +- twine(install version:3.1.1 version range:==3.1.1)
| | +- wheel(install version:0.33.6 version range:==0.33.6)
| +- django-countries(install version:6.1.2 version range:>=4.4)
| +- django-debug-toolbar(install version:2.2 version range:>=1.9.1)
| | +- Django(install version:2.2.12 version range:>=1.11)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse(install version:0.3.1 version range:*)
| | +- sqlparse(install version:0.3.1 version range:>=0.2.0)
| +- django-form-utils(install version:1.0.3 version range:>=1.0.3)
| +- django-formtools(install version:2.2 version range:>=1.0)
| | +- django(install version:2.2.12 version range:>=1.11)
| | | +- asgiref (install version: version range:=3.2)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse (install version:0.3.1 version range:>=0.2.2)
| +- django-haystack(install version:2.8.1 version range:==2.8.1)
| | +- django(install version:2.2.12 version range:>=1.11)
| | | +- asgiref (install version: version range:=3.2)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse (install version:0.3.1 version range:>=0.2.2)
| +- django-localflavor(install version:1.4.1 version range:==1.4.1)
| | +- django(install version:2.2.12 version range:>=1.8)
| | | +- asgiref (install version: version range:=3.2)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse (install version:0.3.1 version range:>=0.2.2)
| +- django-markdown-deux(install version:1.0.5 version range:*)
| +- django-nocaptcha-recaptcha(install version:0.0.20 version range:==0.0.20)
| +- django-picklefield(install version:2.1.1 version range:>=0.1.6)
| | +- django(install version:2.2.12 version range:>=1.11)
| | | +- asgiref (install version: version range:=3.2)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse (install version:0.3.1 version range:>=0.2.2)
| +- django-ses(install version:0.8.14 version range:==0.8.14)
| | +- boto(install version:2.49.0 version range:>=2.31.0)
| | +- future(install version:0.18.2 version range:>=0.16.0)
| | +- pytz(install version:2019.3 version range:>=2016.10)
| +- django-simple-captcha(install version:0.5.12 version range:==0.5.12)
| +- django-sql-explorer(install version:1.1.3 version range:==1.1.3)
| | +- django(install version:2.2.12 version range:>=1.8.0)
| | | +- asgiref (install version: version range:=3.2)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse (install version:0.3.1 version range:>=0.2.2)
| | +- six(install version:1.14.0 version range:>=1.10.0)
| | +- sqlparse(install version:0.3.1 version range:>=0.1.18)
| | +- unicodecsv(install version:0.14.1 version range:>=0.14.1)
| +- django-storages(install version:1.9.1 version range:==1.9.1)
| | +- Django(install version:2.2.12 version range:>=1.11)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse(install version:0.3.1 version range:*)
| +- django-tagging(install version:0.4.6 version range:==0.4.6)
| +- django-tastypie(install version:0.14.3 version range:==0.14.3)
| | +- dateutil(install version: version range:>=1.5)
| | +- python-dateutil(install version:2.8.1 version range:>=1.5)
| | +- python-mimeparse(install version:1.6.0 version range:>=0.1.4)
| +- django-timezone-field(install version:4.0 version range:==4.0)
| | +- django(install version:2.2.12 version range:>=2.2)
| | | +- asgiref (install version: version range:=3.2)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse (install version:0.3.1 version range:>=0.2.2)
| | +- pytz(install version:2019.3 version range:*)
| +- docutils(install version:0.16 version range:==0.16)
| +- email-reply-parser(install version:0.5.9 version range:*)
| +- Embedly(install version:0.5.0 version range:>=0.5.0)
| | +- httplib2(install version:0.17.2 version range:*)
| +- feedparser(install version:6.0.0b3 version range:>=4.1)
| +- future(install version:0.18.2 version range:*)
| +- gevent(install version:1.4.0 version range:==1.4.0)
| +- gunicorn(install version:20.0.4 version range:==20.0.4)
| | +- setuptools(install version:46.1.3 version range:>=3.0)
| +- Markdown(install version:3.2.1 version range:*)
| | +- setuptools (install version:46.1.3 version range:>=36)
| +- mimeparse(install version:0.1.4 version range:>=0.1.3)
| +- nameparser(install version:1.0.6 version range:*)
| +- oauth2(install version:1.9.0.post1 version range:>=1.5.167)
| +- pdfminer.six(install version:20170720 version range:==20170720)
| +- Pillow(install version:7.0.0 version range:==7.0.0)
| | +- black(install version:19.10b0 version range:*)
| | | +- appdirs(install version:1.4.3 version range:*)
| | | +- attrs(install version:19.3.0 version range:>=18.1.0)
| | | +- click(install version:7.1.1 version range:>=6.5)
| | | +- pathspec(install version:0.8.0 version range:>=0.6,<1)
| | | +- regex(install version:2020.4.4 version range:*)
| | | +- toml(install version:0.10.0 version range:>=0.9.4)
| | | +- typed-ast(install version:1.4.1 version range:>=1.4.0)
| | +- check-manifest(install version:0.41 version range:*)
| | | +- pep517(install version:0.8.2 version range:*)
| | | | +- toml(install version:0.10.0 version range:*)
| | | +- toml(install version:0.10.0 version range:*)
| | +- coverage(install version:5.1 version range:*)
| | +- coveralls(install version:2.0.0 version range:*)
| | | +- coverage(install version:5.1 version range:>=4.1,<6.0)
| | | +- docopt(install version:0.6.2 version range:>=0.6.1)
| | | +- requests(install version:2.23.0 version range:>=1.0.0)
| | | | +- certifi(install version:2020.4.5.1 version range:>=2017.4.17)
| | | | +- chardet(install version:3.0.4 version range:>=3.0.2,<4)
| | | | +- idna(install version:2.9 version range:>=2.5,<3)
| | | | +- urllib3(install version:1.25.9 version range:>=1.21.1,<1.26)
| | +- jarn.viewdoc(install version:2.3 version range:*)
| | +- olefile(install version:0.46 version range:*)
| | +- pycodestyle(install version:2.5.0 version range:*)
| | +- pyflakes(install version:2.2.0 version range:*)
| | +- pyroma(install version:2.6 version range:*)
| | | +- docutils(install version:0.16 version range:*)
| | | +- pygments(install version:2.6.1 version range:*)
| | | +- setuptools(install version:46.1.3 version range:*)
| | +- pytest(install version:5.4.1 version range:*)
| | | +- atomicwrites(install version:1.3.0 version range:>=1.0)
| | | +- attrs(install version:19.3.0 version range:>=17.4.0)
| | | +- colorama(install version:0.4.3 version range:*)
| | | +- importlib-metadata(install version:1.6.0 version range:>=0.12)
| | | +- more-itertools(install version:8.2.0 version range:>=4.0.0)
| | | +- packaging(install version:20.3 version range:*)
| | | +- pathlib2(install version:2.3.5 version range:>=2.2.0)
| | | | +- six(install version:1.14.0 version range:*)
| | | +- pluggy(install version:0.13.1 version range:>=0.12,<1.0)
| | | | +- importlib-metadata(install version:1.6.0 version range:>=0.12)
| | | +- py(install version:1.8.1 version range:>=1.5.0)
| | | +- wcwidth(install version:0.1.9 version range:*)
| | +- pytest-cov(install version:2.8.1 version range:*)
| | | +- coverage(install version:5.1 version range:>=4.4)
| | | +- pytest(install version:5.4.1 version range:>=3.6)
| | | | +- atomicwrites(install version:1.3.0 version range:>=1.0)
| | | | +- attrs(install version:19.3.0 version range:>=17.4.0)
| | | | +- colorama(install version:0.4.3 version range:*)
| | | | +- importlib-metadata(install version:1.6.0 version range:>=0.12)
| | | | +- more-itertools(install version:8.2.0 version range:>=4.0.0)
| | | | +- packaging(install version:20.3 version range:*)
| | | | +- pathlib2(install version:2.3.5 version range:>=2.2.0)
| | | | +- pluggy(install version:0.13.1 version range:>=0.12,<1.0)
| | | | +- py(install version:1.8.1 version range:>=1.5.0)
| | | | +- wcwidth(install version:0.1.9 version range:*)
| | +- sphinx-rtd-theme(install version:0.4.3 version range:*)
| | | +- sphinx(install version:3.0.1 version range:*)
| | | | +- alabaster(install version:0.7.12 version range:>=0.7,<0.8)
| | | | +- babel(install version:2.8.0 version range:>=1.3)
| | | | +- docutils(install version:0.16 version range:>=0.12)
| | | | +- imagesize(install version:1.2.0 version range:*)
| | | | +- Jinja2(install version:2.11.2 version range:>=2.3)
| | | | +- packaging(install version:20.3 version range:*)
| | | | +- Pygments(install version:2.6.1 version range:>=2.0)
| | | | +- requests(install version:2.23.0 version range:>=2.5.0)
| | | | +- setuptools(install version:46.1.3 version range:*)
| | | | +- snowballstemmer(install version:2.0.0 version range:>=1.1)
| | | | +- sphinxcontrib-applehelp(install version:1.0.2 version range:*)
| | | | +- sphinxcontrib-devhelp(install version:1.0.2 version range:*)
| | | | +- sphinxcontrib-htmlhelp(install version:1.0.3 version range:*)
| | | | +- sphinxcontrib-jsmath(install version:1.0.1 version range:*)
| | | | +- sphinxcontrib-qthelp(install version:1.0.3 version range:*)
| | | | +- sphinxcontrib-serializinghtml(install version:1.1.4 version range:*)
| +- pisa(install version:3.0.33 version range:*)
| | +- html5lib(install version:1.0 version range:*)
| | | +- six(install version:1.14.0 version range:>=1.9)
| | | +- webencodings(install version:0.5.1 version range:*)
| | +- pil(install version:1.1.6 version range:*)
| | +- pypdf(install version:1.13 version range:*)
| +- psycopg2(install version:2.8.5 version range:>=2.8.4,<2.9)
| +- pycryptodome(install version:3.9.6 version range:==3.9.6)
| +- python-dateutil(install version:2.8.1 version range:==2.8.1)
| +- python-magic(install version:0.4.15 version range:*)
| +- pytz(install version:2019.3 version range:==2019.3)
| +- raven(install version:6.10.0 version range:==6.10.0)
| +- selenium(install version:3.141.0 version range:==3.141.0)
| +- simple-salesforce(install version:0.68.1 version range:==0.68.1)
| +- simplejson(install version:3.17.0 version range:>=2.0.9)
| +- six(install version:1.14.0 version range:*)
| +- stripe(install version:2.42.0 version range:==2.42.0)
| | +- requests (install version:2.23.0 version range:>=2.20)
| | | +- certifi(install version:2020.4.5.1 version range:>=2017.4.17)
| | | +- chardet(install version:3.0.4 version range:>=3.0.2,<4)
| | | +- idna(install version:2.9 version range:>=2.5,<3)
| | | +- urllib3(install version:1.25.9 version range:>=1.21.1,<1.26)
| +- tendenci-django-admin-bootstrapped(install version:4.0 version range:>=4.0)
| | +- Django(install version:2.2.12 version range:>=1.11,<3.0)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse(install version:0.3.1 version range:*)
| | +- setuptools(install version:46.1.3 version range:*)
| +- unicodecsv(install version:0.14.1 version range:*)
| +- unidecode(install version:1.1.1 version range:*)
| +- webcolors(install version:1.11.1 version range:>=1.3.1)
| +- Whoosh(install version:2.7.4 version range:==2.7.4)
| +- xhtml2pdf(install version:0.2.2 version range:==0.2.2)
| | +- html5lib(install version:1.0 version range:>=1.0)
| | | +- six(install version:1.14.0 version range:>=1.9)
| | | +- webencodings(install version:0.5.1 version range:*)
| | +- httplib2(install version:0.17.2 version range:*)
| | +- pillow(install version:7.1.1 version range:*)
| | +- pypdf2(install version:1.26.0 version range:*)
| | +- reportlab(install version:3.5.42 version range:>=3.0)
| | | +- pillow(install version:7.1.1 version range:>=4.0.0)
| | +- six(install version:1.14.0 version range:*)
| +- xlrd(install version:1.2.0 version range:>=0.9.4)
| +- XlsxWriter(install version:0.9.6 version range:==0.9.6)
| +- xlwt(install version:1.3.0 version range:>=0.7.2)
| | +- coveralls(install version:2.0.0 version range:*)
| | | +- coverage(install version:5.1 version range:>=4.1,<6.0)
| | | +- docopt(install version:0.6.2 version range:>=0.6.1)
| | | +- requests(install version:2.23.0 version range:>=1.0.0)
| | | | +- certifi(install version:2020.4.5.1 version range:>=2017.4.17)
| | | | +- chardet(install version:3.0.4 version range:>=3.0.2,<4)
| | | | +- idna(install version:2.9 version range:>=2.5,<3)
| | | | +- urllib3(install version:1.25.9 version range:>=1.21.1,<1.26)
| | +- nose(install version:1.3.7 version range:*)
| | +- nose-cov(install version:1.6 version range:*)
| | +- nose-fixes(install version:1.3 version range:*)
| | | +- nose(install version:1.3.7 version range:*)
| | | +- setuptools(install version:46.1.3 version range:*)
| | +- panci(install version:0.0.2 version range:*)
| | | +- pyyaml(install version:5.3.1 version range:*)
| | +- pkginfo(install version:1.5.0.1 version range:*)
| | +- setuptools-git(install version:1.2 version range:*)
| | +- six(install version:1.14.0 version range:*)
| | +- sphinx(install version:3.0.1 version range:*)
| | | +- alabaster(install version:0.7.12 version range:>=0.7,<0.8)
| | | +- babel(install version:2.8.0 version range:>=1.3)
| | | | +- pytz(install version:2019.3 version range:>=2015.7)
| | | +- docutils(install version:0.16 version range:>=0.12)
| | | +- imagesize(install version:1.2.0 version range:*)
| | | +- Jinja2(install version:2.11.2 version range:>=2.3)
| | | | +- MarkupSafe(install version:2.0.0a1 version range:>=0.23)
| | | +- packaging(install version:20.3 version range:*)
| | | +- Pygments(install version:2.6.1 version range:>=2.0)
| | | +- requests(install version:2.23.0 version range:>=2.5.0)
| | | | +- certifi(install version:2020.4.5.1 version range:>=2017.4.17)
| | | | +- chardet(install version:3.0.4 version range:>=3.0.2,<4)
| | | | +- idna(install version:2.9 version range:>=2.5,<3)
| | | | +- urllib3(install version:1.25.9 version range:>=1.21.1,<1.26)
| | | +- setuptools(install version:46.1.3 version range:*)
| | | +- snowballstemmer(install version:2.0.0 version range:>=1.1)
| | | +- sphinxcontrib-applehelp(install version:1.0.2 version range:*)
| | | +- sphinxcontrib-devhelp(install version:1.0.2 version range:*)
| | | +- sphinxcontrib-htmlhelp(install version:1.0.3 version range:*)
| | | +- sphinxcontrib-jsmath(install version:1.0.1 version range:*)
| | | +- sphinxcontrib-qthelp(install version:1.0.3 version range:*)
| | | +- sphinxcontrib-serializinghtml(install version:1.1.4 version range:*)
| | +- tox(install version:3.14.6 version range:*)
| | +- twine(install version:3.1.1 version range:*)
| | +- wheel(install version:0.34.2 version range:*)

Thanks for your help. Best, Neolith

[NeolithEra]

Suggested Solution

1. Loosen the version range of django to be >=2.2.12.
2. Remove your direct dependency django, and use the django transitively introduced by django-formtools.
3. Change your direct dependency django-formtools to be <=2.2. @jennyq Which solution do you prefer, 1 ,2or 3? Please let me know your choice. May I pull a request to solve this issue?

[jennyq]

Hi @NeolithEra,

Thank you! However, it seems to be a non-issue to me. I do not agree any of the above 3 solutions. I'd change django-formtools in the requirements.txt from django-formtools>=1.0 to django-formtools>=2.2 to keep updated (you're welcome to submit a pull request if you'd like).

The only time the installation would break is when a new release of django-formtools drops support for Django 2.2. From their release history, that is unlikely as long as Django 2.2 hasn't reached the end of extended support. When that happens, the latest version of Tendenci would already move to Django 3.2LTS or later.

By the way, what package do you use to generate that dependency tree? The pipdeptree didn't give me the warning regarding django-formtools. There is a warning about "botocore" though which is a known issue to be resolved.

[jennyq]

We have to explicitly specifying the lower bound and upper bound for Django like this Django>=2.2.12,<3.0 to ensure that the Django installed is the latest secure version, and supported by Tendenci. We apparently cannot remove the direct dependency django and let other dependency package like django-formtools to list it as an indirect dependency.

To be extremely safe, we can just pin django-formtools to 2.2 django-formtools==2.2. This applies to all other dependency packages. The downside of explicit pinning is that we don't receive updates. But we can periodically check and update accordingly. Thoughts?