Package is currently uninstallable due to dependence on yanked version of `requests`
phinate opened this issue · 3 comments
requests==2.32.0 is unusable because it was yanked (reason given is apparently: Yanked due to conflicts CVE-2024-35195 mitigation) and satip==2.11.50 depends on requests==2.32.0, so satip==2.11.50 cannot be installed in its current state.
General comment: it looks like the requirements came from someone running pip freeze > requirements.txt, which has led to an abundance of overly strict dependencies that have the potential to continue to cause problems like this (resolving these dependencies alongside other packages in an environment would be a nightmare). I would recommend re-evaluating the actual dependencies you need fixed to specific versions (e.g. for accessing specific features, you still only need >= as opposed to ==), and let the others float.
If you consider this less of a library and more of an application, I can see why you'd want to preserve these versions; though, even if you pin packages with ==, their dependencies can still float, and so reproducibility into the future can break. If that is the long-term goal, I would then consider some form of lockfile, e.g. through Pixi or some other packaging service.
Thanks for this, do you know if there's a new version of requests out?
I remember there be something wrong with requests==2.32.0
Thanks @phinate for this
@all-contributors please add @phinate for bug
I've put up a pull request to add @phinate! 🎉