Possibility about PyJWT dependency bump

[mondaini]

Hi @harsharahul,

The release 3.18.0 forces the pyjwt version to be lower than version 2. Is it mandatory?

I have one project with other dependencies conflicting with that constraint:

[pipenv.exceptions.ResolutionFailure]: Warning: Your dependencies could not be resolved. You likely have a mismatch in your sub-dependencies.
  First try clearing your dependency cache with $ pipenv lock --clear, then try the original command again.
 Alternatively, you can use $ pipenv install --skip-lock to bypass this mechanism, then run $ pipenv graph to inspect the situation.
  Hint: try $ pipenv lock --pre if it is a pre-release dependency.
ERROR: Could not find a version that matches pyjwt<2,<3,==2.4.0,>=1.7.1 (from -r /tmp/pipenvfxitwn_jrequirements/pipenv-9z21qeb7-constraints.txt (line 12))
Tried: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 0.2.3, 0.2.3, 0.3.0, 0.3.0, 0.3.1, 0.3.1, 0.3.2, 0.3.2, 0.4.0, 0.4.0, 0.4.1, 0.4.1, 0.4.2, 0.4.2, 0.4.3, 0.4.3, 1.0.0, 1.0.0, 1.0.1, 1.0.1, 1.1.0, 1.1.0, 1.3.0, 1.3.0, 1.4.0, 1.4.0, 1.4.1, 1.4.1, 1.4.2, 1.4.2, 1.5.0, 1.5.0, 1.5.1, 1.5.1, 1.5.2, 1.5.2, 1.5.3, 1.5.3, 1.6.0, 1.6.0, 1.6.1, 1.6.1, 1.6.3, 1.6.3, 1.6.4, 1.6.4, 1.7.0, 1.7.0, 1.7.1, 1.7.1, 2.0.0, 2.0.0, 2.0.1, 2.0.1, 2.1.0, 2.1.0, 2.2.0, 2.2.0, 2.3.0, 2.3.0, 2.4.0, 2.4.0, 2.5.0, 2.5.0
Skipped pre-versions: 2.0.0a1, 2.0.0a1, 2.0.0a2, 2.0.0a2
There are incompatible versions in the resolved dependencies:
  pyjwt==2.4.0 (from -r /tmp/pipenvfxitwn_jrequirements/pipenv-9z21qeb7-constraints.txt (line 12))
  pyjwt<2,>=1.7.1 (from docusign-esign==3.18.0->-r /tmp/pipenvfxitwn_jrequirements/pipenv-9z21qeb7-constraints.txt (line 31))
  pyjwt<3,>=1.7.1 (from djangorestframework-simplejwt==5.2.0->-r /tmp/pipenvfxitwn_jrequirements/pipenv-9z21qeb7-constraints.txt (line 26))

I understand I can roll back to the previous docusign-esign release, but I'd like to be up to date whenever possible.

Thank you for your support.

Originally posted by @mondaini in #150 (comment)

[harsharahul]

@mondaini We started to support versions greater than pyjwt>2, hence in requirements file the restrictions is removed requirements.txt. You can manually also install the greater version and will work without issues.

Thanks for reaching out.
-Harsha

[mondaini]

@harsharahul

Thanks for your response.

setup.py has a different constraint, though:

REQUIRES = ["urllib3 >= 1.15", "six >= 1.8.0", "certifi >= 14.05.14", "python-dateutil >= 2.5.3", "setuptools >= 21.0.0", "PyJWT>=1.7.1,<2", "cryptography>=2.5", "nose>=1.3.7"]

Would you mind if I make a pull request removing this <2 constraint on this file?

[mondaini]

• Removes PyJWT Max Version constraint from setup.py #154

[whyscream]

@harsharahul Can we please get a release with a corrected pyjwt pin? Most people use docusign-esign as library with an app: it's not a standalone product. They need to manage many dependencies, and dependencies of dependencies, and can do so efficiently using tools like pip-tools, safety etc. Manually installing a different version of pyjwt does not work, since that forces you to abandon the existing workflow with named tools, and also forces you to disable all kinds of other sanity checks that are done by default on deployments, like pip check etc.

The invalid pin in setup.py effectively prevents us from using release 3.18.0, forcing us to stay at 3.17.0.

[harsharahul]

@mondaini @whyscream Thank you for your patience. The new version with the updated setup.py file is released to the package managers. Please using v3.18.1.

-Harsha