Avoid potential dependency conflicts between ct-exposer and urllib3

Question

Avoid potential dependency conflicts between ct-exposer and urllib3

NeolithEra opened this issue 5 years ago · 2 comments

Hi, as shown in the following full dependency graph of ct-exposer, ct-exposer requires urllib3 (the latest version)， while the installed version of requests(2.22.0) requires urllib3>=1.21.1,<1.26.

According to Pip's “first found wins” installation strategy, urllib3 1.25.3 is the actually installed version.

Although the first found package version urllib3 1.25.3 just satisfies the later dependency constraint (urllib3>=1.21.1,<1.26), it will lead to a build failure once developers release a newer version of urllib3.

Dependency tree--------

ct-exposer(version range:)
| +-gevent(version range:)
| +-greenlet(version range:)
| +-requests(version range:)
| | +-chardet(version range:>=3.0.2,<3.1.0)
| | +-idna(version range:>=2.5,<2.9)
| | +-urllib3(version range:>=1.21.1,<1.26)
| | +-certifi(version range:>=2017.4.17)
| +-urllib3(version range:)

Thanks for your attention.
Best,
Neolith

Answer 1 · 2019-08-01T06:29:12.000Z

Solution

Fix your direct dependencies to be urllib3>=1.21.1,<1.26 and requests==2.22.0, to remove this conflict.
I have checked this revision will not affect your downstream projects now.
Remove your direct dependency urllib3, and use the library urllib3 transitively introduced by requests.

Personally, I prefer solution 2.
What's your opinion?
@chris408 May I pull a request to solve this issue?

Answer 2 · 2019-08-02T00:49:47.000Z

Thanks for bringing this up. I had added urllib3 in the past to try to avoid some error messages from requests. I removed it a moment ago.

Thanks!