This is partially what we are doing in pipenv although we are not truly sat
solving, we are fully resolving. For the record, I just tried this out with
what will be the next version of pipenv (releasing this week) and it seems that
requests doesn't pin urllib3 below 1.23 (so urllib3 1.23 is compatible with
requests)
/t/test pipenv graph --bare
pusher==2.0.1
- ndg-httpsclient [required: Any, installed: 0.5.0]
- pyasn1 [required: >=0.1.1, installed: 0.4.3]
- PyOpenSSL [required: Any, installed: 18.0.0]
- cryptography [required: >=2.2.1, installed: 2.2.2]
- asn1crypto [required: >=0.21.0, installed: 0.24.0]
- cffi [required: >=1.7, installed: 1.11.5]
- pycparser [required: Any, installed: 2.18]
- idna [required: >=2.1, installed: 2.7]
- six [required: >=1.4.1, installed: 1.11.0]
- six [required: >=1.5.2, installed: 1.11.0]
- pyasn1 [required: Any, installed: 0.4.3]
- pyopenssl [required: Any, installed: 18.0.0]
- cryptography [required: >=2.2.1, installed: 2.2.2]
- asn1crypto [required: >=0.21.0, installed: 0.24.0]
- cffi [required: >=1.7, installed: 1.11.5]
- pycparser [required: Any, installed: 2.18]
- idna [required: >=2.1, installed: 2.7]
- six [required: >=1.4.1, installed: 1.11.0]
- six [required: >=1.5.2, installed: 1.11.0]
- requests [required: >=2.3.0, installed: 2.19.0]
- certifi [required: >=2017.4.17, installed: 2018.4.16]
- chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4]
- idna [required: >=2.5,<2.8, installed: 2.7]
- urllib3 [required: >=1.21.1,<1.24, installed: 1.23] *****
- six [required: Any, installed: 1.11.0]
- urllib3 [required: Any, installed: 1.23]
Asterisks mine
And just to confirm -- from the current setup.py for requests (found at
https://github.com/requests/requests/blob/991e8b76b7a9d21f698b24fa0058d3d5968721bc/setup.py#L54):
> 'urllib3>=1.21.1,<1.24'
Dan Ryan
gh: @techalchemy // e: d...@danryan.co
> -----Original Message-----
> From: Paul Moore [mailto:p.f.mo...@gmail.com]
> Sent: Wednesday, June 13, 2018 6:05 AM
> To: Alex Grönholm
> Cc: DistUtils mailing list
> Subject: [Distutils] Re: Dependency resolution in pip
>
> On 13 June 2018 at 10:23, <alex.gronh...@nextday.fi> wrote:
> > I recently stumbled into a worrying problem with pip. I found out that doing
> > "pip install pusher requests" installs urllib3 v1.23 as a dependency even
> > though requests specifically restricts the version to lower than 1.23. Then
> > if instead I do "pip install requests pusher" it installs urllib3 v1.22 as
> > expected. As I recall, pip has long had a problem with combining version
> > specifiers and extras when the same target has been required from
> multiple
> > sources. What I wanted to ask was, is this a simple bug, or a larger
> > unresolved design problem? Should pip also take into consideration the
> > requirements from existing installed packages so pip won't end up installing
> > upgrades they're incompatible with?
>
> It's a known issue - pip doesn't do full dependency resolution at the
> moment. It's being tracked in https://github.com/pypa/pip/issues/988
>
> Paul
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mm3/mailman3/lists/distutils-sig.python.org/
Message archived at
https://mail.python.org/mm3/archives/list/distutils-sig@python.org/message/YFL6DINA5NYQSIIZOYDSQJUR52HEJSJZ/
