-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to override/ignore sub-dependencies #697
Comments
+1 |
@sdispater You must be super busy, but what are your initial thoughts on this? |
I don't think this is desirable. This would require a lot of work and add complexity to the resolver - which is already complex due to the Python specific ecosystem - because of some packages specifying their dependencies poorly. I don't want Poetry to have to make up for a lack of proper tools or proper specifications, there is already a lot of work to be done as it is. This is the job of each package's maintainers to ensure their dependencies are correct and loose enough to not create conflict. If we ever want to have an ecosystem similar to what other languages already have, we have to draw the line somewhere and enforce everyone to contribute to the common goal. Poetry helps with that by making it easier to build and manages Python projects. |
@sdispater While you are completely correct in principle, in reality there are cases where not being able to perform overrides means being completely unable to install some packages, specially when multiple projects specify conflicting version constraints. Waiting for the whole ecosystem to improve will take years, and in the meanwhile Poetry is unusable in some cases, which is a shame considering it brings lots of improvements in other areas. As a practical example, Even other package managers that work with more "well-behaved" ecosystems allow overrides e.g. Maven, SBT and others in Java world. |
Would also like to have this option, especially as of now there are packages cannot be installed because poetry fails to parse their |
Uncompromising claim is good to formalize the package versioning. But the conflicts are existing for sure. And packages are ofter more useful than it claims. I think it's good to have a export option to write those conflicts in a So the work flow will be like:
This can be a plug-in if necessary. Maybe related to #558 #663 & #955. |
I've ran into exactly the same issue as @danielkza. But I don't think we need to make it that complicated, if you could just tell poetry to completely ignore the dependencies specified by a package then you can always just specify your own. Also at the moment, it can take a really long time for poetry install to try every combination of dependencies, there must be a better way than iterating down the version numbers? |
I am sympathetic to the points about having some way to override or accelerate or skip resolution on an opt-in basis, but also always want to avoid making compromises to the "real, thorough" way of doing a task like this for the sake of proactively optimizing some efficient way... Explicit control seems best... So you can do real/thorough at maintenance times, in master CI/CD or base docker/VM image baking, etc etc, then more efficient when there has not been a change in the reqs. (And that 'has there been a change?' part is well-solved by things like git-checks and/or docker image caching, and I do think it's best to keep that burden on those tools, and really avoid complicating concepts of cache,state, or history in Poetry itself.) I like @drunkwcodes 's workflow suggestion, and agree that #558 seems related. It really seems there is another subcommand or workflow waiting to be fleshed out... As @drunkwcodes says maybe it could be a plugin. Personally I am fine "dropping down" to pip for these cases, and then continuing to rely on Poetry as the "master" and what I rely on for longevity and maintenance. |
brainstorming what this new subcommand or plugin may look likeThis more-locked installation should probably be tied in with wheels (re: #558). It may even directly involve using two related/compatible use-cases(a) poetry -> reqs, per @drunkwcodes example, and helps address #697poetry export --ignore-conflicts
# [as needed] "Resolve conflicts in requirements.txt" - manually, or interactive prompt option?
pip install -r requirements.txt (b) reqs -> wheels -> install-with-pip... installing with pip doesn't necessarily conflict with Poetry, you can do the pip-install-from-wheels / with-whatever-options, then call ... seems to help address #558, and by directly exposing pip may make sense for cases like #1012 poetry export --ignore-conflicts
# [as needed] "Resolve conflicts in requirements.txt" - manually, or interactive prompt option?
pip wheel -r requirements.txt # assumption: you've set PIP_WHEEL_DIR
pip install --find-links "file://$PIP_WHEEL_DIR" -r requirements.txt imagining new options to bring things togetherimplicit in example below: intermediate idea 1pip wheel -r <( poetry export --ignore-conflicts --output - ) # pip respects PIP_WHEEL_DIR or --wheel-dir, see pip docs
poetry install --find-links="file://$PIP_WHEEL_DIR" # ..? does it need reqs again? intermediate idea 2 - seems clean to me, but could be disagreeable to somepoetry export --ignore-conflicts --fetch-wheels --wheel-output=./wheelhouse --output=poetry.wheelhouse.lock
poetry install --find-links=./wheelhouse --extra-lock=./poetry.wheelhouse.lock the idea in that second one being, in the event of a conflict, poetry would fall back to the intermediate idea 3 - does require one
|
I think the command can even be renamed to
P.S Reply to interactive mode:
Spawn a process to open text editor like vi[m], emacs, nano etc. right after file generation sounds adequate. |
That sounds really great. Less steps the better and your suggestion coheres very well with the existing functionality and the intentions we are discussing. |
So the use cases we've been running into with proper dependency resolution: packages we get value out of that have low activity or are unmaintained that happen to work with newer versions of dependencies. This is much worse than in Rust because Rust supports multiple versions of a dependency existing in your dependency graph. Here, we need one compatible version through the entire graph. The proposed solution for this seems to rely on manually resolving the conflcit on every upgrade. This seems tedious for a process ( |
Strict dependency resolution reveals a lot of issues with a lot of packages in Python ecosystem. There should be a least a way to handle dependencies by yourself without the need to contact with package maintainer, wait for patches etc. I am agree with @epage that there should be a way to override dependency-graph |
This makes This problem exists with other package managers, and has been solved before. It's also worth noting that
I totally agree that My vote is to keep the implementation as simple as possible, and to make the user responsible for managing the risk of ignoring conflicts. After all, it would be opt-in behavior. I propose making this a flag on |
Unfortunately this continues to be an enormous issue that prevents using Of course there won't be any solution overnight, but it would be great to get an updated opinion on this subject from @sdispater or another maintainer/triager (@stephsamson?). |
Any update on this? I think this thread makes it clear that being able to ignore conflicts on an opt-in basis is necessary to make Poetry usable as a dependency manager for a wide range of projects. I just want to reiterate that It's obviously outside the purview of Poetry to make sure that the dependency requirements of every Python package ever made are defined correctly. How difficult would it be to implement this as proposed above, so that it works like |
@kylebebak I understand the points made here but like I said before this is not a trivial change and would require a lot of work on the dependency resolution front that I am not willing to do. If someone want to step in and implement it in an intuitive manner I will gladly take a look at it. But this leaves a lot of uncertainties, let's take an example:
Now, you might introduce bugs in the behavior of That being said, if someone find a good solution to this problem and implement it, I'd gladly review it. |
When he created this issue, @zehauser mentioned a reason that provides a very good justification for this feature:
Imagine you depend on Because A has specified an excessively narrow version range for B, you now can't ever upgrade B's version if you use Poetry, even though newer versions of B work just fine with A. Your only option is to ask A's maintainer to broaden the version range. Maybe he'll do this in a week, maybe he'll do it in a month, and maybe he'll do it never... |
This has also prevented me from using poetry for projects. I think part of the tension here is between the differing needs of applications vs libraries. For libraries, allowing conflicting dependencies would be bad. For applications, its sometimes necessary to use libraries that claim to be conflicting because you have to get stuff done and cant wait on a maintainer to update their library. Perhaps any solution we come up with should allow overriding conflicts for features used by apps ( |
I think the bottom line is if your application doesn't directly use library C but A and B use conflicting versions then poetry should fail the install. But if through testing you discover that the limited usage of C by A and B turns out to only use portions that were non breaking changes then you should be allowed to set the version of C that makes sense in your application. The expectation of a dep manager isn't an enforcement tool, it's a convenience tool for efficiently installing all my indirect dependencies such that it won't cause conflicts. Poetry does a great job of this. The only thing missing is the ability for the dev to say I know better for this edge case so actually install this version instead, I'll assume all risk in my decision. With that said, it sounds like this is a hard change so can we start talking about ways we could solve this now instead of whether we should? |
This also would help to resolve issues like #1330 by manually adding I have been using poetry for over a year now, but this situation is very disappointing. |
* setup.py: Support jsonschema >= 3.0.0 Other projects have started using jsonschema >= 3.0.0, and modern python packaging tools such as poetry now fail to install projects using both connexion and a different dependency if they depend on different versions of jsonschema. Allow jsonschema versions >= 3.0.0 to avoid this problem. See: python-poetry/poetry#697 * Avoid warning when using jsonschema >= 3.0 jsonschema 3.0.0 changed the API to deprecate the types parameter of the jsonschema.IValidator constructor and now raises a warning when using it. Avoid the warning by checking the jsonschema version and switching to the new way to implement this when it is >= 3.0. Note that while jsonschema 2.x did have jsonschema.validators.extend, it did not support the type_checker argument, so the same code cannot be used with jsonschema 2.x.
+1 |
Stumbled into the problem that poetry also takes sub-dependencies into account that are in a Not sure at which places that is useful, but as far as I understand it, dependencies such as In my case
which is derived by poetry from bleach from the following
In my
Where do you see the problem? Or am I misunderstanding something? Using the deprecated |
There's a couple things going on here:
For reference, here is
@q-wertz, I suggest that any subsequent discussion occur somewhere else, as you are either encountering usage or documentation issues, or a weird and nasty bug. In any case, this is an illustration of this proposed feature often being a footgun; your instinct to try and solve it with this extremely sharp-edged and brittle (proposed) tool is exactly why no core maintainer has been interested in exploring this feature themselves; it screams persistent headache for end users and Poetry developers alike. |
Thank you for the extensive explanation and help. You are probably right with your assumption there might be an issue on my side. I now refactored the Gave me (minor) headaches for a few days 😅 |
Sorry for the noise; I am updating the issue labels/status to be more accurate. |
if anyone gets here, here's how you solve it.... fork the offending 10 levels upstream repo, relax constraints as needed, then use the forked repo instead, submitting a PR if appropriate. |
@earonesty Yes, making poetry not suitable for large dependencies and long term projects |
I just discovered that if you have sub package in your project with another pyproject.toml and you run |
Is there any resolution to this issue? This is causing issues with pydantic |
As a point of reference, |
Not only https://github.com/astral-sh/uv?tab=readme-ov-file#dependency-overrides |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
(However, it is related to #436).
Issue
In the dark, old world of Python packaging, sub-dependencies are handled very poorly. If I recall correctly,
pip
will happily install a sub-dependency despite conflicting versions being specified by two direct dependencies... in fact I think which version it ends up installing depends on the order inrequirements.txt
. Yuck! Only very recently has it even started issuing a warning for cases like this.In contrast,
poetry
does this right. It computes the entire dependency tree and will complain if there are conflicts anywhere in the tree.But... many packages out there are not specifying their dependencies properly. Even if they are, there's always the possibility that their specified dependencies are a tighter range than they strictly need to be.
Is there a way to tell Poetry to force a specific version (or version) range of a dependency in cases like this — or in other words, to ignore a dependency specification of another dependency somewhere in the tree? If not, should there be?
The text was updated successfully, but these errors were encountered: