New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential dependency conflicts between plaso, chardet, idna and urllib3 when using pip #2729
Comments
Solution
I have checked this revision will not affect your downstream projects now.
@joachimmetz Please let me know your choice. I can submit a PR to solve this issue. |
@NeolithEra what installation method are you referring to? It seems like requirements.txt Which we explicitly discourage. Per: https://plaso.readthedocs.io/en/latest/sources/developer/Developing-Virtualenv.html
Pinning to exact versions is such a bad practice for many reasons.
Remove from where? requirements.txt? |
@joachimmetz When users use I mean that maybe we can remove direct dependencies to be chardet>=3.0.2,<3.1.0, idna>=2.5,<2.9, urllib3>=1.21.1,<1.26 and requests==2.22.0 from requirement.txt. |
As I said we don't recommend using this installation method in the first place, especially due to issues like these. I'll have a look, as you proposed, to remove direct dependency on chardet, urllib3 and idna, and use them transitively. |
Pending changes, closing. |
Hi, plaso directly and transitively introduced multiple versions of chardet, idna and urllib3.
As shown in the following full dependency graph of plaso, plaso requires chardet (the latest version), while the installed version of requests(2.22.0) requires chardet>=3.0.2,<3.1.0, urllib3>=1.21.1,<1.26 and idna>=2.5,<2.9.
According to pip's “first found wins” installation strategy, chardet 3.0.4, urllib3 1.25.3 and idna 2.8 are the actually installed versions.
Although the first found package versions chardet 3.0.4, urllib3 1.25.3 and idna 2.8 just satisfy their corresponding later dependency constraints (chardet>=3.0.2,<3.1.0), (urllib3>=1.21.1,<1.26) and (idna>=2.5,<2.9), it will lead to a build failure once developers release a newer version of chardet, urllib3 and idna.
Dependency tree--------
Thanks for your attention.
Best,
Neolith
The text was updated successfully, but these errors were encountered: