alanhamlett/pip-update-requirements

pur installs yanked packages

moosterhof opened this issue · 1 comments

moosterhof commented

Pur is currently upgrading requirements to the most recent version, even when that version is "yanked" (https://pypi.org/help/#yanked). It would be better if it checked for this and installed the most recent non-yanked version.

Example pur output right now:

Updated jupyter-client: 6.1.12 -> 6.2.0

And then installing:

:; pip install jupyter-client==6.2.0
Collecting jupyter-client==6.2.0
  Using cached jupyter_client-6.2.0-py3-none-any.whl (112 kB)
Collecting pyzmq>=13
  Using cached pyzmq-22.1.0-cp39-cp39-macosx_10_15_universal2.whl (1.9 MB)
Collecting python-dateutil>=2.1
  Using cached python_dateutil-2.8.1-py2.py3-none-any.whl (227 kB)
Collecting nest-asyncio>=1.5
  Using cached nest_asyncio-1.5.1-py3-none-any.whl (5.0 kB)
Collecting traitlets
  Using cached traitlets-5.0.5-py3-none-any.whl (100 kB)
Collecting jupyter-core>=4.6.0
  Using cached jupyter_core-4.7.1-py3-none-any.whl (82 kB)
Collecting tornado>=4.1
  Using cached tornado-6.1-cp39-cp39-macosx_10_9_x86_64.whl (416 kB)
Collecting six>=1.5
  Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting ipython-genutils
  Using cached ipython_genutils-0.2.0-py2.py3-none-any.whl (26 kB)
WARNING: The candidate selected for download or install is a yanked version: 'jupyter-client' candidate (version 6.2.0 at https://files.pythonhosted.org/packages/88/4e/50fcf8b38d9c08d5b4839c1650e595f6bfa4fc9b419e2b800db8f14ee532/jupyter_client-6.2.0-py3-none-any.whl#sha256=9715152067e3f7ea3b56f341c9a0f9715c8c7cc316ee0eb13c3c84f5ca0065f5 (from https://pypi.org/simple/jupyter-client/) (requires-python:>=3.6.1))
Reason for being yanked: Breaking API change
Installing collected packages: ipython-genutils, traitlets, six, tornado, pyzmq, python-dateutil, nest-asyncio, jupyter-core, jupyter-client
Successfully installed ipython-genutils-0.2.0 jupyter-client-6.2.0 jupyter-core-4.7.1 nest-asyncio-1.5.1 python-dateutil-2.8.1 pyzmq-22.1.0 six-1.16.0 tornado-6.1 traitlets-5.0.5
alanhamlett commented

We need to upgrade the vendored pip before we can filter out yanked release candidates.