-
-
Notifications
You must be signed in to change notification settings - Fork 611
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--upgrade-packages fails to constrain subdeps, if either absent from a preexisting output file, or if --upgrade is also passed #1550
Comments
After some more investigation, this issue occurs without the This actually affects my workaround above, as I'd have to run |
Looks like this behavior was changed in #1031. There's relevant discussion in that PR, but I can't tell whether this exact case was intentionally changed. @AndydeCleyre might be able to share more. |
I did not realize they were intended to potentially be used together, as I didn't see sense in the sentiment "keep/install an old version of package x AND upgrade all packages to their latest" -- I figured the upgrade-all bit would trump the other bit. I was wrong. I'll try to review this whole thing. |
Until then, does it help to put your restricted versions into the input file? |
That makes sense. The I can see why the sentiment of upgrading all and pinning a specific package would seem strange. In my specific case, I'm actually trying to force the requirements file to contain a specific, CPU-only flavour of PyTorch with |
OK, reviewing the discussion at #759, I think a key note is right at the start. @atugushev opened with:
Through the discussion, the "penalty" was softened and we did not end up raising any errors in this case. But the expectation there illuminated is that packages passed to With that in mind:
django
sqlparse # for django $ pip-compile --upgrade-package 'sqlparse<=0.4.0'
asgiref==3.5.0
# via django
django==4.0.2
# via -r requirements.in
sqlparse==0.4.0
# via
# -r requirements.in
# django
$ pip-compile --upgrade --upgrade-package 'sqlparse<=0.4.0'
asgiref==3.5.0
# via django
django==4.0.2
# via -r requirements.in
sqlparse==0.4.0
# via
# -r requirements.in
# django
$ rm requirements.txt
$ pip-compile --upgrade --upgrade-package 'sqlparse<=0.4.0'
asgiref==3.5.0
# via django
django==4.0.2
# via -r requirements.in
sqlparse==0.4.0
# via
# -r requirements.in
# django So
|
For what it's worth, I relied on the behavior requested here (upgrading specific packages not declared in reqs.in) for a while and didn't realize it was no longer available! Certainly a question is whether the complexity is worthwhile, but I found it really valuable to be able to easily upgrade a specific sub-dependency that had recently had a security fix release. Of course, that use case can be worked around by temporarily adding the sub-dependency to reqs.in and then removing it, but it would be nice to have that automated. I didn't want the particular package in reqs.in permanently - if the relevant direct dependency no longer needed it, I would want it to disappear from the output. |
I'm not saying things should be one way or another here, but want to mention a relevant alternative:
sqlparse<=0.4.0 # See https://...
django
-c security.txt |
Yep, definitely an option as well! |
So is there a good reason not to treat |
Oh right yes: because of the simple case of upgrading to the max. Never mind. |
I made #1578 to trial different handling of The result is good. If it's simple enough to do without creating a temp file, I'm interested in that. It also presents the possibility of including the |
I was going to say that this is definitely a reasonable solution, given your previous discussion about the issue -- happy to use Thanks very much for investigating this! |
I've added some tests to validate your changes, and opened a PR into your fork. Looks like your changes solve the problem, from the test output |
Yeah while I prefer to put these kinds of needs into files rather than use The behavior would be more predictable and I now think more correct. #1578 is up for review. |
Great, thanks for this! I agree, I think this becomes much more predictable. |
@jammie19 If I understand the question, then yes. Here's behavior on master, using the pip-tools repo itself as the setup.py package to test: $ pip-compile setup.py -U 2>&1 | grep tomli
tomli==2.0.1
$ pip-compile setup.py -U -P 'tomli<2.0.1' 2>&1 | grep tomli
tomli==2.0.1 And here's the result with #1578: $ pip-compile setup.py -U 2>&1 | grep tomli
tomli==2.0.1
$ pip-compile setup.py -U -P 'tomli<2.0.1' 2>&1 | grep tomli
tomli==2.0.0 EDIT: I didn't note before, but |
Thanks for clarifying, that looks great! |
I hope I'm not misreading this issue, but I believe I am experiencing a negative effect of the same (or similar) behavior described above. I'd really appreciate if you could confirm/correct my expectations in this situation. I'm also happy to open a separate issue if this isn't the right place for it. I have # test.in
azure-storage-blob
spacy~=3.2.0 I run the command:
Actual Output
Expected OutputFirst, I'm surprised that
Finally, I expected the |
@tboddyspargo The final point here, constraining The main issue you're facing, the inability to resolve |
@jammie19 - thank you very much for clarifying for me! I'm so grateful for everyone's time and expertise! |
The documentation states that the
--upgrade
and--upgrade-packages
can be used together, however the--upgrade-packages
flag is ignored when--upgrade
is supplied.Environment Versions
python 3.9.0
pip 21.3.1
pip-compile 6.4.0
Steps to replicate
Using different args to the documentation, as
requests
is not in thedjango
requirements, andrequests<=3.0.0
does not affect the "latest" release.Expected result
Actual result
sqlparse
is not restricted to<=0.4.0
. If I omit the--upgrade
flag, only supplying--upgrade-packages 'sqlparse<=0.4.0'
, I get the expected result (but my other packages are not upgraded to later versions). This also doesn't work if the argument issqlparse==0.4.0
.My current workaround is just to delete the requirements file(s) before running
pip-compile
, and omitting the--upgrade
flag so the existing files aren't used as a cache. I suspect either the--upgrade-packages
constraint logic is inside theif not upgrade...
conditional, or that--upgrade-packages
only extend, not constrain the complete set of packages.This feature should be permitted, or the documentation changed to avoid stating that this is possible
The text was updated successfully, but these errors were encountered: