Potential dependency conflicts between erpbrasil-assinatura and pyopenssl #10
Description
Hi, as shown in the following full dependency graph of erpbrasil-assinatura, erpbrasil-assinatura requires pyopenssl ==18.0.0, erpbrasil-assinatura requires signxml * (signxml 2.7.2 will be installed, i.e., the newest version satisfying the version constraint), and directed dependency signxml 2.7.2 transitively introduces pyopenssl <20,>=17.5.0.
Obviously, there are multiple version constraints set for pyopenssl in this project. However, according to pip's “first found wins” installation strategy, pyopenssl 1.18.0 (i.e., the newest version satisfying constraint ==1.18.0) is the actually installed version.
Although the first found package version pyopenssl 1.18.0 just satisfies the later dependency constraint (pyopenssl <20,>=17.5.0), such installed version is very close to the upper bound of the version constraint of Pyopenssl specified by signxml 2.7.2.
Once signxml upgrades,its newest version will be installed, as erpbrasil-assinatura does not specify the upper bound of version constraint for signxml. Therefore, it will easily cause a dependency conflict (build failure), if the upgraded signxml version introduces a higher version of Pyopenssl, violating its another version constraint ==18.0.0.
According to the release history of signxml, it habitually upgrates Pyopenssl in its recent releases. For instance, signxml 2.2.4 upgrated Pyopenssl’s constraint from >= 16.0.0, < 17 to >= 0.15.1, < 17, signxml 2.6.0 upgrated Pyopenssl’s constraint from >= 0.15.1, < 17 to >= 17.5.0, < 19, and signxml 2.7.0 upgrated Pyopenssl’s constraint from >= 17.5.0, < 19 to >= 17.5.0, < 20.
As such, it is a warm warning of a potential dependency conflict issue for erpbrasil-assinatura.
Dependency tree
erpbrasil-assinatura - 0.4.2
| +- chardet(install version:3.0.4 version range:*)
| +- cryptography(install version:2.9 version range:*)
| | +- cffi(install version:1.14.0 version range:>=1.8)
| | +- six (install version:1.14.0 version range:>=1.4.1)
| +- endesive(install version:1.4.5 version range:*)
| | +- asn1crypto(install version:1.3.0 version range:*)
| | +- cryptography(install version:2.9 version range:*)
| | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | +- six (install version:1.14.0 version range:>=1.4.1)
| | +- lxml(install version:4.5.0 version range:*)
| | +- oscrypto(install version:1.2.0 version range:*)
| | | +- asn1crypto(install version:1.3.0 version range:>=1.0.0)
| | +- paramiko(install version:2.7.1 version range:*)
| | | +- bcrypt(install version:3.1.7 version range:>=3.1.3)
| | | +- cryptography(install version:2.9 version range:>=2.5)
| | | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | | +- six (install version:1.14.0 version range:>=1.4.1)
| | | +- pynacl(install version:1.3.0 version range:>=1.0.1)
| | | | +- six(install version:1.14.0 version range:*)
| | +- pdfminer.six(install version:20200402 version range:*)
| | +- pdf_annotate(install version: version range:*)
| | +- pykcs11(install version:1.5.7 version range:*)
| | +- pyopenssl(install version:18.0.0 version range:*)
| | | +- cryptography(install version:2.9 version range:>=2.2.1)
| | | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | | +- six (install version:1.14.0 version range:>=1.4.1)
| | | +- six(install version:1.14.0 version range:>=1.5.2)
| | +- pytz(install version:2019.3 version range:*)
| | +- requests(install version:2.23.0 version range:*)
| | | +- certifi(install version:2020.4.5.1 version range:>=2017.4.17)
| | | +- chardet(install version:3.0.4 version range:>=3.0.2,<4)
| | | +- idna(install version:2.9 version range:>=2.5,<3)
| | | +- urllib3(install version:1.25.9 version range:>=1.21.1,<1.26)
| +- pyopenssl(install version:18.0.0 version range:==18.0.0)
| | +- cryptography(install version:2.9 version range:>=2.2.1)
| | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | +- six (install version:1.14.0 version range:>=1.4.1)
| | +- six(install version:1.14.0 version range:>=1.5.2)
| +- pytz(install version:2019.3 version range:*)
| +- signxml(install version:2.7.2 version range:*)
| | +- asn1crypto(install version:1.3.0 version range:>=0.24.0)
| | +- certifi(install version:2020.4.5.1 version range:>=2018.1.18)
| | +- cryptography(install version:2.9 version range:<3,>=2.1.4)
| | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | +- six (install version:1.14.0 version range:>=1.4.1)
| | +- eight(install version: version range:>=0.4.2,<2)
| | +- lxml(install version:4.5.0 version range:<5,>=4.2.1)
| | +- pyopenssl(install version:18.0.0 version range:<20,>=17.5.0)
| | | +- cryptography(install version:2.9 version range:>=2.2.1)
| | | | +- cffi(install version:1.14.0 version range:>=1.8)
| | | | +- six (install version:1.14.0 version range:>=1.4.1)
| | | +- six(install version:1.14.0 version range:>=1.5.2)
| +- tzlocal(install version:2.1b1 version range:*)
Thanks for your help.
Best,
Neolith