search

tink-crypto / tink-py

Python implementation of Tink
https://developers.google.com/tink
Apache License 2.0
37 stars 4 forks source link

Why the old urllib3 pinned version? #13

Closed darkvertex closed 1 year ago

darkvertex commented 1 year ago

Describe the bug:

It would be cool to know why the urllib3 version that is pinned as a requirement is such an old one?

In the real release, as per: https://github.com/tink-crypto/tink-py/blob/5934f47df29666ccadaa5ff4cc2ba626f82bcdf5/requirements.txt#L256 you pin it at urllib3==1.26.16 yet deeper in the repo you have a release_requirements.txt file with a newer version: https://github.com/tink-crypto/tink-py/blob/5934f47df29666ccadaa5ff4cc2ba626f82bcdf5/kokoro/release_requirements.txt#L271 at urllib3==2.0.2, almost the newest of 2.0.4.

I had upgraded from tink 1.7.0 and it downgraded urllib3 in my project in the process.

What version of Tink are you using?

1.8.0

morambro commented 1 year ago

It would be cool to know why the urllib3 version that is pinned as a requirement is such an old one?

This is a transitive dependency. google-auth requires urllib3<2.0, so pip-compile selects the highest that satisfies this constraint when generating requirements.txt. google-auth is a new dependency needed by the Python native Google Cloud KMS extension.

Note that when you install tink via pip install transitive dependencies will be resolved by pip and not pinned to requirements.txt; the constraints Tink declares are in requirements.in.

yet deeper in the repo you have a release_requirements.txt file with a newer version:

These are dependencies required by our release tooling so it doesn't have the same constraints.

darkvertex commented 1 year ago

Ahhh, I had not seen the requirements.in. Thank you for the explainer.