New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The dependency specifiers are too relaxed #5414
Comments
You are not supposed to install old versions in new projects - and in old projects you are supposed to have pinned your transitive dependencies. There are MANY other issues with some useful links on that topic. |
But these issue could be fixed by... just being correct, couldn't? https://github.com/pallets/flask/blob/3.0.2/pyproject.toml#L23 says: Which reason to have a logically incorrect code instead of a correct one? |
There is no way to change the metadata of existing releases. We can't go back and say "actually, 2.0.2 is only compatible with N". So even if we made a release that added a maximum version (we won't) it wouldn't fix you not being able to install the specific old version without specifying other dependency versions. This is why, when starting development of an application, you use a tool such as pip-tools to pin your application's full dependency tree. This gives you reproducible deployments if you need to recreate the environment later. |
Good day!
We have dependency specifiers in such way:
flask/pyproject.toml
Lines 22 to 24 in b90a4f1
But indeed
Werkzeug>=3.0.0
should beWerkzeug>=3.0.0,<4
orWerkzeug>=3.0.0,<3.1
orWerkzeug==3.0.0
, etc.Got it when I installed
flask==2.0.2
and got an incompatibleWerkzeug==3.0.2
along.Thanks!
The text was updated successfully, but these errors were encountered: