[
https://issues.apache.org/jira/browse/TINKERPOP-2810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17622898#comment-17622898
]
Gunther Vogel commented on TINKERPOP-2810:
------------------------------------------
The problem I am coming from is that resolution of second-order dependencies
does not work well: I am maintaining a library currently depending on aiohttp
~= 3.8 and awswrangler ~= 2.16. Now, the release of aiohttp 3.8.3 suddenly
makes pip check fail because the constraint <= 3.8.1 coming in indirectly via
awswrangler->gremlinpython is not taken into account when pip decides which
aiohttp version to use. Of course, variability in dependencies is a testing
nightmare, but my currently preferred approach is to leave the pinning to the
venv which will actually be deployed.
> gremlinpython aiohttp dependency requirement too strict
> -------------------------------------------------------
>
> Key: TINKERPOP-2810
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2810
> Project: TinkerPop
> Issue Type: Bug
> Components: python
> Affects Versions: 3.6.1
> Reporter: Gunther Vogel
> Priority: Major
>
> Currently, the requirements specify aiohttp >= 3.8.0, <= 3.8.1, disallowing
> newer bugfix releases of aiohttp (current version is 3.8.3). Following the
> general semantic versioning rules, the upper bound should be <4.0.0 (disallow
> breaking changes).
> The current requirements are the result of TINKERPOP-2668 which only had the
> goal of avoiding the bug contained in versions <= 3.7.4.
> Fixing aiohttp at a non-current bugfix release step increases the maintenance
> effort needed to get an error-free overall library setup; in my case,
> gremlinpython is not even used directly, but just pulled in by awswrangler.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
