Conversation
This is considered best practice and its lack is flagged by the Dockerfile linter.
Another good practice to follow is to update `pip` itself.
Contourpy is a transitive dependency. Version 1.3.3 needs Python 3.11. Something is bringing in version 1.3.3 even if I declare this package as unsafe at `pip-compile` time using the `--unsafe-package` argument. So far the only solution I've found is to put a version contraint in our requirements input file.
The package backports.asyncio.runner is a transitive dependency that should only be installed for Python < 3.11. It doesn't need to be in the requirements files we produce, and conversely, letting `pip-compile` include it leads to installation failures with some Python versions. We can tell `pip-compile` to omit it and this solves the problem.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
pavoljuhas
reviewed
Feb 24, 2026
pavoljuhas
reviewed
Feb 24, 2026
pavoljuhas
reviewed
Feb 24, 2026
pavoljuhas
requested changes
Feb 24, 2026
Contributor
pavoljuhas
left a comment
pavoljuhas
left a comment
There was a problem hiding this comment.
I think we should avoid pinning to a specific pip version; this seems to be a side effect of using the --unsafe-package option.
Can we avoid using that option? uv pip compile seems to be able to condition backports.asyncio.runner by Python version.
devenv
approved these changes
Mar 8, 2026
What's happening is that for maximum compatibility, we run run-pip-compile.py in Python 3.10 (see re-pip-compile-in-docker.sh). An unfortunate behavior of pip-compile is that any use of `--unsafe-packages` results in pip-compile no longer using its default list of unsafe packages, and thus, setuptools and pip end up in the output. So we have to add `--unsafe-package` for them too.
These are the latest files following the addition of more `--unsafe-package` flags in `run-pip-compile.sh`.
Per Pavol's suggestion, this is a better approach, and it lets us omit the `--unsafe-package` flag from run-pip-compile.sh.
Contributor
Author
You're right. I thought use the conditional spec in the input to pip-compile would not work, because I thought it was only something for pip, but it turns out it does work. I removed the unsafe stuff altogether. |
These are the latest files following the addition of more `--unsafe-package` flags in `run-pip-compile.sh`.
This can be handled in a better way.
pavoljuhas
approved these changes
Mar 12, 2026
mhucka
added a commit
that referenced
this pull request
Mar 12, 2026
This PR updates some dependencies as well as the scripts used to produce the various environment files, and updates the environment files themselves. * `dev_tools/requirements/deps/runtime.txt` needs to set some constraints on versions of some dependencies because higher versions of those dependencies require Python 3.11, which is incompatible with our goal of maintaining Python 3.10 compatibility (for now) * `dev_tools/requirements/re-pip-compile-in-docker.sh` needed an addition to prevent it including a certain Python package that is incompatible with Python 3.11+ * `dev_tools/requirements/Dockerfile` didn't do a `pip update -U pip`, but should; while at it, I added some options to pip to silence irrelevant warnings so that the logs are less noisy Note to reviewers: all of the `.txt` requirements files under `dev_tools/requirements/envs/` and `dev_tools/requirements/max_compat/` are solely the output of running `dev_tools/requirements/re-pip-compile-in-docker.sh`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates some dependencies as well as the scripts used to produce the various environment files, and updates the environment files themselves.
dev_tools/requirements/deps/runtime.txtneeds to set some constraints on versions of some dependencies because higher versions of those dependencies require Python 3.11, which is incompatible with our goal of maintaining Python 3.10 compatibility (for now)dev_tools/requirements/re-pip-compile-in-docker.shneeded an addition to prevent it including a certain Python package that is incompatible with Python 3.11+dev_tools/requirements/Dockerfiledidn't do apip update -U pip, but should; while at it, I added some options to pip to silence irrelevant warnings so that the logs are less noisyNote to reviewers: all of the
.txtrequirements files underdev_tools/requirements/envs/anddev_tools/requirements/max_compat/are solely the output of runningdev_tools/requirements/re-pip-compile-in-docker.sh.