Why the old urllib3 pinned version?
Closed this issue · 2 comments
Describe the bug:
It would be cool to know why the urllib3 version that is pinned as a requirement is such an old one?
In the real release, as per:
Line 256 in 5934f47
you pin it at
urllib3==1.26.16
yet deeper in the repo you have a
release_requirements.txt
file with a newer version:tink-py/kokoro/release_requirements.txt
Line 271 in 5934f47
at
urllib3==2.0.2
, almost the newest of 2.0.4.
I had upgraded from tink 1.7.0 and it downgraded urllib3 in my project in the process.
What version of Tink are you using?
1.8.0
It would be cool to know why the urllib3 version that is pinned as a requirement is such an old one?
This is a transitive dependency. google-auth
requires urllib3<2.0
, so pip-compile
selects the highest that satisfies this constraint when generating requirements.txt
. google-auth
is a new dependency needed by the Python native Google Cloud KMS extension.
Note that when you install tink
via pip install
transitive dependencies will be resolved by pip
and not pinned to requirements.txt
; the constraints Tink declares are in requirements.in
.
yet deeper in the repo you have a
release_requirements.txt
file with a newer version:
These are dependencies required by our release tooling so it doesn't have the same constraints.
Ahhh, I had not seen the requirements.in
. Thank you for the explainer.