Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency check on 'requests' raises dependency inconsistencies #64

Closed
EpicWink opened this issue Apr 24, 2019 · 2 comments · Fixed by #97
Closed

Dependency check on 'requests' raises dependency inconsistencies #64

EpicWink opened this issue Apr 24, 2019 · 2 comments · Fixed by #97
Assignees
@crwilcox
Labels
packaging type: question Request for information or clarification. Not an issue.

Comments

@EpicWink
Copy link

EpicWink commented Apr 24, 2019
edited

Currently, google-resumable-media depends on requests>=2.18. On import, the package checks that this dependency is valid and met. This then checks that all dependencies down the chain are also valid and met.

The issue here is that then a pkg_resources.ContextualVersionConflict is raised when a dependency of requests isn't met when calling the version-check pkg_resources.require('requests >= 2.18.0').

For example, if requests has the requirement urllib3>=1.21,<1.25, but a package further up the chain (eg sentry-sdk) had the requirement urllib3, then the latest version of urllib3 (which is v1.25) will be installed. pip then warns the user that requests requirement won't be met, but in my experience these warnings have not caused issues in the past.

Four solutions I can think of:

  • Have requests allow urllib3=1.25 (see this issue)
  • Manually require urllib3<1.25 in the application
  • Don't check for requests dependency validity at run-time
  • Ignore version inconsistencies of dependencies of requests when checking for dependency validity at run-time
@yoshi-automation yoshi-automation added triage me I really want to be triaged. 🚨 This issue needs some love. labels Apr 24, 2019
@EpicWink EpicWink mentioned this issue May 3, 2019
Closed
@sduskis sduskis added type: question Request for information or clarification. Not an issue. and removed 🚨 This issue needs some love. triage me I really want to be triaged. labels May 13, 2019
@tseaver
Copy link
Contributor

tseaver commented Aug 28, 2019

This package never actually imports anything from requests: instead, the requests-specific bits require that the client pass through a transport which is compatible with requests.Session (with authentication). ISTM that we could therefore drop the runtime pkg_resources.require check, since passing in an appropriate transport is the caller's responsibility. @crwilcox, can you please comment?

Even if we drop the runtime check, I recommend leaving the extra in place, to avoid breaking clients who pick up requests via a transitive dependency on google-resumable-media[requests].

@tseaver
Copy link
Contributor

tseaver commented Aug 28, 2019

Note that the question is somewhat moot, given psf/requests#5092.

@tseaver tseaver mentioned this issue Aug 28, 2019
Merged
tseaver added a commit that referenced this issue Aug 28, 2019
@tseaver
Drop runtime dependency check on 'requests'. (#97)
1f26428 
We don't import it:  we just require the caller to pass in a 'transport'
which emulates the 'requests.Session' object (with authentication).

Closes #64.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@crwilcox crwilcox

Labels
packaging type: question Request for information or clarification. Not an issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Drop runtime dependency check on 'requests'.
5 participants
@sduskis @tseaver @crwilcox @EpicWink @yoshi-automation