Lower requirements constraints

Question

Lower requirements constraints

fmigneault opened this issue 2 years ago · 6 comments

Is your feature request related to a problem? Please describe.

Because of how https://github.com/vinitkumar/json2xml/blob/master/requirements.txt gets generated, json2xml enforces very strict dependencies related to requests and its sub-dependencies, although there is no real reason to do so. Indeed, the only "real" requirements are defined in https://github.com/vinitkumar/json2xml/blob/master/requirements.in.

Describe the solution you'd like

Requirements of json2xml should limit themselves only to what is actually needed, so that once it is installed along other packages in an environment, it does not become the limiting factor in updating packages. Especially in the case of requests sub-dependencies, this blocks very important security fixes from certify and urllib3.

Describe alternatives you've considered
n/a

Additional context
n/a

Answer 1 · 2022-10-15T19:26:14.000Z

@fmigneault I think you are right. On one hand, having pinned dependencies is nice for reproducibility, but that's more useful for an application and for libraries, it should be more relaxed so that it is more useful in other contexts.

I am going to fix this and do a new release soon.

Thanks for pointing it out.

Answer 2 · 2022-10-16T18:34:41.000Z

@fmigneault I just pushed a released to pypi where I fixed the complaint you had. https://pypi.org/project/json2xml/3.20.0/

Please check it and let me know if this fix the issue for you?

Thanks again for pointing this out.

Answer 3 · 2022-10-17T15:35:10.000Z

@vinitkumar Works like a charm! Thanks for the update.

Answer 4 · 2023-11-07T01:41:14.000Z

@vinitkumar
Is it possible to loosen the urllib3 version dependency as you did with the previous PR?
Although I see that you did update it in 092b132, the current latest available release https://github.com/vinitkumar/json2xml/tree/v4.0.1 drags it down to urllib3==1.26.13 instead of letting pip auto-resolve urllib3 to the latest available version. Every code that uses json2xml is therefore "less secure" because they must wait until you release a new version to respect dependencies.

Answer 5 · 2023-11-07T04:45:45.000Z

@fmigneault You raise a brilliant point. I haven't thought about this before. I am also thinking of not hardcoding a version on both the dependencies in requirements and pip auto to decide if those work or not. We have good test coverage to catch any regression. And at the same time, it would not limit people using these dependencies to run insecure versions.

Answer 6 · 2023-11-07T05:47:21.000Z

Thanks for the quick fix. Greatly appreciated!