search

thorwolpert / flask-jwt-oidc

Other
14 stars 13 forks source link

Unpin published dependencies #2

Closed jamielennox closed 5 years ago

jamielennox commented 5 years ago

The release version of the library is published to pypi with the dependencies published in requirements/prod.txt which as of now is: 

click==6.7
ecdsa==0.13
Flask==1.0.2
future==0.16.0
itsdangerous==0.24
Jinja2==2.10
MarkupSafe==1.0
pyasn1==0.4.3
python-dotenv==0.8.2
python-jose==3.0.0
rsa==3.4.2
six==1.11.0
Werkzeug==0.14.1

This means if i put flask-jwt-oidc into my application requirements then it changes the version of flask in my application, and pins a bunch of versions for libraries flask-jwt-oidc isn't using directly.

Pinning dependencies is good for an end application, however as a library author at best you should be as flexible as possible here, possibly with a required version.

This seems to be what requirements/prod.nover.txt is (with the exception of dotenv which is not actually a requirement).

Please make the published release less strict on requirements.

thorwolpert commented 5 years ago

I think it should now be closer to what you are describing. Thx!