Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requests and Twine have conflicting urllib3 requirements since 2.0.0a #981

Closed
asciifaceman opened this issue Mar 9, 2023 · 3 comments
Closed

Requests and Twine have conflicting urllib3 requirements since 2.0.0a #981

asciifaceman opened this issue Mar 9, 2023 · 3 comments

Comments

@asciifaceman
Copy link

Your Environment

Thank you for taking the time to report an issue.

To more efficiently resolve this issue, we'd like to know some basic information about your system and setup.

  1. Your operating system:

Ubuntu 20.04.5 LTS

  1. Version of python you are running:
python --version

Python 3.8.10

  1. How did you install twine? Did you use your operating system's package manager or pip or something else?

venv + setup.py

I realize setup.py is largely deprecated, however it's still widely in use.

The Issue

urllib3 started introducing a 2.0.0a pre-release branch to pypi as of November 2022.

requests, and many other projects specify an upper bound such as https://github.com/psf/requests/blob/main/setup.py#L64

urllib3>=1.21.1,<1.27

and twine does not set an upper bound

urllib3>=1.26.0

Python doesn't handle this dependency situation on its own which leads to urllib3 2.0.0 being installed, which is out of bounds for requests

Steps to Reproduce

If the issue is predictable and consistently reproducible, please list the steps here.

    install_requires=[
        'twine',
        'requests',
    ],

error: urllib3 2.0.0a3 is installed but urllib3<1.27,>=1.21.1 is required by {'requests'}

    install_requires=[
        'requests',
        'twine',
    ],

error: urllib3 2.0.0a3 is installed but urllib3<1.27,>=1.21.1 is required by {'requests'}

Post Script

Now of course I realize twine might support 2.0 and beyond, but given it depends on requests itself this may cause issues anyways for some.

We were able to resolve this locally by defining our own urllib3 dependency with upper bounds but this is dependency smell in the long run. I don't necessarily know if it is twine's responsibility to set an upper bound and there is no accusation implied in this, but I would love to see some input on if others have seen this behavior.
@sigmavirus24
Copy link
Member

I'm not sure that twice needs an explicit dependency on urllib3. Requests isn't about to drop it was a dependency and the usage of urllib3 is purely to pass in advanced settings to Requests. I would suggest we do it from our requirements alright

@asciifaceman
Copy link
Author

I will note this issue doesn't appear using project management such as Hatch which performs proper dependency resolution, but it does cause issues on simple setup.py setups etc.

@lynshi lynshi mentioned this issue Apr 30, 2023
Closed
@pquentin
Copy link

I think this can be closed now that requests and requests-toolbelt support urllib3 2.0: #989 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pquentin @sigmavirus24 @bhrutledge @asciifaceman