Potential dependency conflicts between django-netjsongraph and django

[NeolithEra]

Hi, as shown in the following full dependency graph of django-netjsongraph, django-netjsongraph requires django >=2.2,<3.1 ， while the installed version of django (3.0.6) ，jsonfield 3.1.0 requires django >=2.2.
According to Pip's “first found wins” installation strategy, django 3.0.6 is the actually installed version.
Although the first found package version django 3.0.6 just satisfies the later dependency constraint （django >=2.2), it will easily cause a build failure once the updated jsonfield introduces a higher version of django
According to the release history of jsonfield, it habitually upgrates django in its recent releases. For instance, jsonfield 2.0.0 upgrated django’s constraint from >=1.4.3 to >=1.8.0, jsonfield 2.0.1 upgrated django’s constraint from >=1.8.0 to >=1.11， and jsonfield 3.0.0 upgrated django’s constraint from >=1.11 to >=2.2.

Dependency tree

django-netjsongraph - 0.6.2
| +- django(install version:3.0.6 version range:>=2.2,<3.1)
| +- django-model-utils(install version:4.0.0 version range:*)
| | +- django(install version:3.0.6 version range:>=2.0.1)
| +- djangorestframework(install version:3.11.0 version range:>=3.3,<3.12)
| | +- django(install version:3.0.6 version range:>=1.11)
| +- jsonfield(install version:3.1.0 version range:>=3.1.0,<4.0.0)
| | +- django (install version:3.0.5 version range:>=2.2)
| | | +- asgiref (install version: version range:=3.2)
| | | +- pytz(install version:2019.3 version range:*)
| | | +- sqlparse (install version:0.3.1 version range:>=0.2.2)
| +- netdiff(install version:0.7 version range:>=0.7.0,<0.8.0)
| +- openwisp-utils(install version:0.4.5 version range:>=0.4.3,<0.5.0) 

Thanks for your help.
Best,
Neolith

[NeolithEra]

Suggested Solution

1. Lose the version range of django to be**>=2.2**.
2. Remove your direct dependency django, and use the django transitively introduced by jsonfield.
   @nemesisdesign Which solution do you prefer, 1 or 2?
   Please let me know your choice. May I pull a request to solve this issue?

[atb00ker]

1. Let's say, in future when say django 3.2 is released and jsonfield changes to >=3.2 and for some reason we have not upgraded, I think it's best that we see it as a bug report to manually upgrade it. Automatically installing >=3.2 may cause problems for the users.
2. django transitively introduced by jsonfield is going to cause more problems as it takes control of which version of django we use and other modules may not be compatible with the version that jsonfield installs. 😄

\imo: I think if it is an issue, loosening django version range is not the solution but tightening jsonfield version may be the solution. 😄

Let me know your thoughts! 😄

P.S: Originally such wide range for jsonfield was chosen to avoid making pull requests again and again to update for minor changes that doesn't require any human intervention; in case it can cause problem, tighten range sounds good to me! 😄

[NeolithEra]

@atb00ker Thanks for your feedback. I agree with your oppinion. Changing the version constraint of jsonfield to be <=3.1.0 is a good solution.

[nemesifier]

Go for it, thank you guys. 👍