urllib3 v1.25 support #5067
Comments
|
Also note that a solution to the above reproduction example is: pip3 install sentry-sdk google-cloud-storage 'urllib3<1.25' |
|
There’s already a PR in the works: https://github.com/kennethreitz/requests/pull/5063 |
We're listing dependencies alphabetically. This causes pip to resolve minio urllib3 dependency (which has an unspecified version) before requests (which pins it to below 1.25), causing a version mismatch. This is a workaround that should be removed once https://github.com/kennethreitz/requests/issues/5067 is resolved
We're listing dependencies alphabetically. This causes pip to resolve minio urllib3 dependency (which has an unspecified version) before requests (which pins it to below 1.25), causing a version mismatch. This is a workaround that should be removed once https://github.com/kennethreitz/requests/issues/5067 is resolved
|
@nateprewitt FYI 1.25.2 will be released very soon, I would recommend in addition to disallowing 1.25.0 also disallow 1.25.1? |
|
Our CI pipeline starts to get an error |
|
@rkooo567, have you tried running the CI with the additional requirement |
|
@EpicWink Yes. And it seems like it resolves an issue. I also found out |
|
urllib3 1.24.3 has been released which fixes only the CRLF injection issue for 1.24.X users. |
|
Here's a possibly dumb question: why does requests restrict urllib3 to be < 1.25? Since many other pip dependencies are going to continue to increase their minimum allowed urllib3 version, it seems like this is going to guarantee two things:
Does urllib3 make breaking changes that often that we're worried about just trusting their versioning? Or is there another concern? |
|
Based on the number of references to this issue in other projects’ trackers, I’m sure there are a lot of other project maintainers that would appreciate a resolution to this sooner rather than later… :) (Pointing it out since issue references don’t trigger e‐mail notifications.) |
|
+1 because it aggravates problems caused by Pip's lack of a dependency resolver in some cases: pradyunsg/zazo#14 |
|
If you think that's fun, look at all the things that use requests and can't update urllib3. (we do some manual checking) |
The following are held back for the reasons noted below: -grpcio===1.20.1 +grpcio===1.15.0 tooz has a cap that needs to be removed (most likely) -SQLAlchemy===1.3.3 +SQLAlchemy===1.2.18 general breakage in tempest-full https://review.opendev.org/651591 -urllib3===1.25.2 +urllib3===1.24.3 requests has a cap, they don't seem to care https://github.com/kennethreitz/requests/issues/5067 -tornado===5.1.1;python_version=='2.7' +tornado===4.5.3;python_version=='2.7' we generate the wrong version for py27 -kubernetes===9.0.0 +kubernetes===8.0.1 openshift has a hard lock on ~8 -jsonschema===3.0.1 +jsonschema===2.6.0 caps in the following, all are openstack, so we just need to make sure they have been uncapped and schedule releases python-ironiclient tempest taskflow python-zaqarclient warlock python-solumclient glance-store python-designateclient os-net-config Change-Id: I48a34d95e6b831c557ed3bb4bab00e6af3d74dbc
* Update requirements from branch 'master'
- Updated from generate-constraints
The following are held back for the reasons noted below:
-grpcio===1.20.1
+grpcio===1.15.0
tooz has a cap that needs to be removed (most likely)
-SQLAlchemy===1.3.3
+SQLAlchemy===1.2.18
general breakage in tempest-full https://review.opendev.org/651591
-urllib3===1.25.2
+urllib3===1.24.3
requests has a cap, they don't seem to care
https://github.com/kennethreitz/requests/issues/5067
-tornado===5.1.1;python_version=='2.7'
+tornado===4.5.3;python_version=='2.7'
we generate the wrong version for py27
-kubernetes===9.0.0
+kubernetes===8.0.1
openshift has a hard lock on ~8
-jsonschema===3.0.1
+jsonschema===2.6.0
caps in the following, all are openstack, so we just need to make sure
they have been uncapped and schedule releases
python-ironiclient tempest taskflow python-zaqarclient warlock
python-solumclient glance-store python-designateclient os-net-config
Change-Id: I48a34d95e6b831c557ed3bb4bab00e6af3d74dbc
* Add requests requirement to bypass a bug with old version and urllib3 >= 1.25; (see https://github.com/kennethreitz/requests/issues/5067) * Remove pip 18 requirement, there is no more issue here.
* Add requests requirement to bypass a bug with old version and urllib3 >= 1.25; (see https://github.com/kennethreitz/requests/issues/5067) * Use a development branch of PyInstaller to bypass a vevn bug; (see pyinstaller/pyinstaller#3942) * Remove pip 18 requirement, there is no more issue here.
* Add requests requirement to bypass a bug with old version and urllib3 >= 1.25; (see https://github.com/kennethreitz/requests/issues/5067) * Use a development branch of PyInstaller to bypass a vevn bug; (see pyinstaller/pyinstaller#3942) * Remove pip 18 requirement, there is no more issue here. I needed to fix fix_app_qt_folder_names_for_codesign.py as it was yielding files and folders in a random manner and was trying to fix non-DLL files.
* Add requests requirement to bypass a bug with old version and urllib3 >= 1.25; (see https://github.com/kennethreitz/requests/issues/5067) * Use a development branch of PyInstaller to bypass a vevn bug; (see pyinstaller/pyinstaller#3942) * Remove pip 18 requirement, there is no more issue here. I needed to fix fix_app_qt_folder_names_for_codesign.py as it was yielding files and folders in a random manner and was trying to fix non-DLL files.
* Add requests requirement to bypass a bug with old version and urllib3 >= 1.25; (see https://github.com/kennethreitz/requests/issues/5067) * Use a development branch of PyInstaller to bypass a vevn bug; (see pyinstaller/pyinstaller#3942) * Remove setuptools and pip 18 requirement, there is no more issue here. * Fixed fix_app_qt_folder_names_for_codesign.py as it was yielding files and folders in a random manner and was trying to fix non-DLL files.
* Add requests requirement to bypass a bug with old version and urllib3 >= 1.25; (see https://github.com/kennethreitz/requests/issues/5067) * Use a development branch of PyInstaller to bypass a vevn bug; (see pyinstaller/pyinstaller#3942) * Remove setuptools and pip 18 requirement, there is no more issue here. * Fixed fix_app_qt_folder_names_for_codesign.py as it was yielding files and folders in a random manner and was trying to fix non-DLL files.
Support for
urllib3v1.25 (released today/yesterday). The usual yada-yada "my CI is broken".Multiple packages that we depend on (eg
google.cloud.storage,azure.storage) have strict version-check onrequestsusingpkg_resources.require('requests >= 2.18.0'). Any unmet dependencies in the chain below and includingrequestswill cause the check to fail and raise an exception.urllib3<1.25is currently one such dependency.Expected Result
No exception raised on import
Actual Result
Reproduction Steps
System Information
The text was updated successfully, but these errors were encountered: