Skip to content

[BUG] ptb hardpins dependencies, causing problems for sub-dependencies #2758

New issue
New issue
Closed
🐛 bug
Closed
[BUG] ptb hardpins dependencies, causing problems for sub-dependencies#2758
🐛 bug
Milestone
 
v20.0a0
@xmatthias

Description

@xmatthias
xmatthias
opened on Oct 30, 2021

Steps to Reproduce

Create a project with ptb and cachetools (for example) in requirements

requirements.txt

python-telegram-bot==13.7
cachetools==4.2.4

install that project

pip install -r requirements.txt

Collecting cachetools==4.2.4
  Downloading cachetools-4.2.4-py3-none-any.whl (10 kB)
ERROR: Cannot install cachetools==4.2.4 and python-telegram-bot==13.7 because these package versions have conflicting dependencies.

The proposed workaround from #2757 (comment) does NOT work with uptodate pip versions, and fails with the following approach.

pip install cachetools==4.2.4 -U
Collecting cachetools==4.2.4
  Using cached cachetools-4.2.4-py3-none-any.whl (10 kB)
Installing collected packages: cachetools
  Attempting uninstall: cachetools
    Found existing installation: cachetools 4.2.2
    Uninstalling cachetools-4.2.2:
      Successfully uninstalled cachetools-4.2.2
ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
python-telegram-bot 13.7 requires cachetools==4.2.2, but you have cachetools 4.2.4 which is incompatible.

Expected behaviour

Installation would not fail.

A library should not hard-pin install-dependencies (in setup.py) but instead use range-pinning.

Hard-pinned dependencies should only be used in requirements.txt - but not in setup.py - preventing other projects from updating.
to avoid unexpected failures, it's best-practice to range-pin dependencies, preventing major updates without proper testing, which ptb fails to do.

Actual behaviour

Installation fails

Operating System

not relevant
uptodate pip version

other

I've attempted a fix in #2757 - but one of the maintainers decided to rather try and discuss the issue away than fixing this, therefore i'm now asking this as issue, and i consider this a breaking bug (it breaks updates of dependent modules).

I'd expect a fix for this for both 13.x (minor version update) and 14.0 versions - as this can have security implications (you're preventing updating to a more uptodate version).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions