Open NeolithEra opened 4 years ago
Hi @NeolithEra,
Thank you! However, it seems to be a non-issue to me. I do not agree any of the above 3 solutions. I'd change django-formtools in the requirements.txt from django-formtools>=1.0
to django-formtools>=2.2
to keep updated (you're welcome to submit a pull request if you'd like).
The only time the installation would break is when a new release of django-formtools drops support for Django 2.2. From their release history, that is unlikely as long as Django 2.2 hasn't reached the end of extended support. When that happens, the latest version of Tendenci would already move to Django 3.2LTS or later.
By the way, what package do you use to generate that dependency tree? The pipdeptree
didn't give me the warning regarding django-formtools. There is a warning about "botocore" though which is a known issue to be resolved.
We have to explicitly specifying the lower bound and upper bound for Django like this Django>=2.2.12,<3.0
to ensure that the Django installed is the latest secure version, and supported by Tendenci. We apparently cannot remove the direct dependency django and let other dependency package like django-formtools to list it as an indirect dependency.
To be extremely safe, we can just pin django-formtools to 2.2 django-formtools==2.2
. This applies to all other dependency packages. The downside of explicit pinning is that we don't receive updates. But we can periodically check and update accordingly. Thoughts?
Hi, as shown in the following full dependency graph of tendenci, tendenci requires django >=2.2.12,<3.0, tendenci requires django-formtools >=1.0 (django-formtools 2.2 will be installed, i.e., the newest version satisfying the version constraint), and directed dependency django-formtools 2.2 transitively introduces django >=1.11.
Obviously, there are multiple version constraints set for django in this project. However, according to pip's “first found wins” installation strategy, django 2.2.12 (i.e., the newest version satisfying constraint >=2.2.12,<3.0) is the actually installed version.
Although the first found package version django 2.2.12 just satisfies the later dependency constraint (django >=2.2.12,<3.0), such installed version is very close to the upper bound of the version constraint of django specified by django-formtools 2.2.
Once django-formtools upgrades,its newest version will be installed, as tendenci does not specify the upper bound of version constraint for django-formtools. Therefore, it will easily cause a dependency conflict (build failure), if the upgraded django-formtools version introduces a higher version of django, violating its another version constraint >=2.2.12,<3.0.
According to the release history of django-formtools, it habitually upgrates Django in its recent releases. For instance, django-formtools 2.2 upgrated Django’s constraint from >=1.7 to >=1.8, and django-formtools 2.2 upgrated Django’s constraint from >=1.8 to >=1.11.
As such, it is a warm warning of a potential dependency conflict issue for tendenci.
Dependency tree
Thanks for your help. Best, Neolith