tink-crypto/tink-py

Why the old urllib3 pinned version?

Closed this issue · 2 comments

Describe the bug:

It would be cool to know why the urllib3 version that is pinned as a requirement is such an old one?

In the real release, as per:

urllib3==1.26.16 \

you pin it at urllib3==1.26.16
yet deeper in the repo you have a release_requirements.txt file with a newer version:
urllib3==2.0.2 \

at urllib3==2.0.2, almost the newest of 2.0.4.

I had upgraded from tink 1.7.0 and it downgraded urllib3 in my project in the process.

What version of Tink are you using?

1.8.0

It would be cool to know why the urllib3 version that is pinned as a requirement is such an old one?

This is a transitive dependency. google-auth requires urllib3<2.0, so pip-compile selects the highest that satisfies this constraint when generating requirements.txt. google-auth is a new dependency needed by the Python native Google Cloud KMS extension.

Note that when you install tink via pip install transitive dependencies will be resolved by pip and not pinned to requirements.txt; the constraints Tink declares are in requirements.in.

yet deeper in the repo you have a release_requirements.txt file with a newer version:

These are dependencies required by our release tooling so it doesn't have the same constraints.

Ahhh, I had not seen the requirements.in. Thank you for the explainer.