The dependency specifiers are too relaxed

[kuraga]

Good day!

We have dependency specifiers in such way:

flask/pyproject.toml

Lines 22 to 24 in b90a4f1

	dependencies = [
	"Werkzeug>=3.0.0",
	"Jinja2>=3.1.2",

But indeed Werkzeug>=3.0.0 should be Werkzeug>=3.0.0,<4 or Werkzeug>=3.0.0,<3.1 or Werkzeug==3.0.0, etc.

Got it when I installed flask==2.0.2 and got an incompatible Werkzeug==3.0.2 along.

Thanks!

[ThiefMaster]

You are not supposed to install old versions in new projects - and in old projects you are supposed to have pinned your transitive dependencies. There are MANY other issues with some useful links on that topic.

[kuraga]

But these issue could be fixed by... just being correct, couldn't?

https://github.com/pallets/flask/blob/3.0.2/pyproject.toml#L23 says: the flask 3.0.2 requires any version of Werkzeug greater than or equal to 3.0.0. And this statement is (just) false, isn't it?

Which reason to have a logically incorrect code instead of a correct one?

[davidism]

There is no way to change the metadata of existing releases. We can't go back and say "actually, 2.0.2 is only compatible with N". So even if we made a release that added a maximum version (we won't) it wouldn't fix you not being able to install the specific old version without specifying other dependency versions.

This is why, when starting development of an application, you use a tool such as pip-tools to pin your application's full dependency tree. This gives you reproducible deployments if you need to recreate the environment later.