Closed kondensatorn closed 1 year ago
Hello, Christer! Nice to hear from you! Everything is fine! I will have a look at it!
I have a fix for this in the trunk. However I have met issues during release. Pypi requires two-factor authentication, but that is a hard to do when you haven't set it up, and you need to get into the account in order to set it up ... I have contacted pypi in order to get support.
The fix is basically to adhere to the new method introduced in version 3 of the SemVer dendency. I hope that suits you well. I assume most uses of verso would be in a docker container that has control over its dependencies, so backward compatibility with SemVer should not be necessary.
Hi again!
If I understand correctly, with your current setup, the versions you pin in requirements.txt
don't matter; as I understand it, they are not actually used when people run pip install
. This is why I mentioned setup.py
in my initial report.
So if I'm right, this would be a temporary fix, still using the latest and greatest dependencies on pip install
, until we get another version that is not backwards compatible.
Yes, requirement.txt only affects the development and testing, not the end user. The fix of significance was to change the calls to in_valid(). Won’t that solve your issue?
As far as I know, pinning dependencies in setup.py is a bad practice since it increases the likelihood of not being able to resolve dependencies if the user have several applications that use the same dependency. I think that the root cause is rather that I haven’t kept the dependencies in my testing pipeline up-to-date and hence haven’t discovered the changes in the semver dependency.
Until I have managed to release a new version, I assume that a work-around for you is to explicitly install the semver dependency with a version below 3.0.0, just before the installation of verso.
I think the bad practice is to pin to exact versions; if you look here, for instance (that is a popular package 😄), it uses ranges for versions in setup.py
.
I guess you are right. "requests" have for example required "charset_normalizer" to be less than version 4 even though version 4 is not yet released.
This is presumably to buy them time to adapt to version 4, if and when it arrives.
I have addressed your concern in https://github.com/tfagerlind/verso/commit/8810048707586f4c0a5db456e239a14662b0562f A release is on its way but it is delayed because of the ongoing recovery of my account mentioned earlier in this thread.
A new version has now been released (0.1.2). Apart from various minor changes that only affect development, the package is now compatible, and only compatible, with the latest major of the semver dependency. In order to reduce the likelyhood that a mismatch happens again, I have also put requirements on the majors of each required dependency. Thanks Christer for the error report and the provided advice. Don't hesitate to create a new issue if you encounter more problems. Closing ticket.
Hi Tomas, hope you've had a nice summer!
Verso doesn't want to play nicely anymore.
To recreate problem:
This crashes due to a non-compatible version of
semver
being installed.This can probably be fixed by pinning versions in
install_requires
insetup.py
, but then various other make targets begin to fail.Problems I have found so far:
gitpython
) with a known vulnerabilityAssuming you will have opinions on the exact solutions to these problems, I gave up on creating a PR, settling for opening an issue instead.
Happy Hacking!