-
Notifications
You must be signed in to change notification settings - Fork 642
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recent uv
dependency resolution installs older version of package
#3143
Comments
I'm a little bit mixed on this because the updated resolution is "equally" valid -- some packages resolved to newer versions, e.g., the newer resolution was able to upgrade to To ensure that you receive newer boto versions, I think you should be specifying lower bounds on them? |
I'll see if I can understand why the resolution changed. It may not actually be a bug though. |
I think that That said, this still feels like FWIW, though I don't see a hard requirement listed in the codebase, the version of botocore that gets picked up doesn't even list any non-EOL'd Python versions for support: https://github.com/boto/botocore/blob/1.10.84/setup.py#L72-L81 |
Yeah, I think the previous resolution was more "intuitive", I'm mostly just pointing out that they're both arguably "correct". (The new resolution would only be incorrect if it didn't contain any upgraded versions.) May be able to get back to that state, I have to play around with the heuristics. |
Sounds good. This may be some pathological case for the heuristics since the dependency tree for this application gets pretty gross. FWIW, switching to |
So I just ran |
Yep, sorry. Just added a |
I can not reproduce what you're seeing, I tried on Python 3.10, Linux, using that checkout, and trying to exclude anything newer than the last few hours:
Btw, pip's resolver also gets into these situations where it picks a much older version of a package the user would prefer not to have. |
Ok, now I was able to reproduce by passing |
(But on Python 3.11 I don't see the behavior even as of |
Ah, I can reproduce now, but on Python 3.8 (which going through the CI logs I notice). I'm going to try and see if I can figure out what pip does here. |
I think I know the cause, but not the details of why / how. pip has a better heuristic for "package depth", whereas we're preferring constrained packages over unconstrained packages regardless of the depth. |
btw, this sometimes helps pip resolution and sometimes hurts it, I don't have a good intuition or evidence if it is a net benefit. Though, it seems here it probably helps. |
## Summary pip prefers somewhat-constrained over unconstrained packages... but only if they're at equal depths in the tree. We don't have a way to track the latter property yet (I've added a TODO), so for now, we should remove this constraint -- it seems to be counter-productive. I've filed #3149 as a follow-up. Closes #3143 ## Test Plan - `git clone https://github.com/drivendataorg/zamba.git` - `cat "-e .[tests]" > req.in` - `cargo run venv && cargo run pip compile req.in --refresh -n --python-platform linux --python-version 3.8`
Our CI process that uses uv fails because dependency resolution now selects a much older version of
boto3
andbotocore
.Seems related to #3127, but it's still not doing the right thing in 0.1.34.
Repro:
Result:
Installs ancient versions of boto:
Expected:
Recent boto, e.g.,
boto3==1.34.84
andbotocore==1.34.84
. (This is what pip does).For completeness, here are the logs from our CI, which you can see in full here.
And here are the previous scheduled run we have with
uv==0.1.31
boto3 and botocore resolved to correct (recent) versions.The text was updated successfully, but these errors were encountered: