-
-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The latest version of requests (2.29.0) does not support urllib3 2.0.0 #6432
Comments
@nateprewitt I would like to note that if requests blocks urllib3 2.0.0 and everyone has requests installed for something, most people will not be able to get any new data about urllib3 2.0.0 in practice because it just cannot be installed. Is that picture missing something? |
Many, if not most, projects pull urllib3 into their closure through another dependency. Pinning transitive dependencies, while good practice through something like a lockfile, is not widely observed. We have a decade of issues on this project as empirical data on that. Often times, users aren't even aware they're using Requests, let alone urllib3. Those are the cases where this can go wrong very easily. We'll likely move the pin within the next week, but pushing a major version update out isn't something we'll do lightly. Giving urllib3 the opportunity release before we pull everyone else in is the safest approach and least amount of pain for operation teams. |
Hi @nateprewitt, thanks for your reply, I appreciate it! 👍
What I'm reading here is that you are concerned about users that (1) do not use urllib3 directly and (2) use urllib3 indirectly and (3) have urllib3 pulled in without a semver guard like "<2" and (4) the code using urllib3 would break with urllib3 2.0.0. Could you name example tickets where I could have a closer look at reports like that? Thanks! |
This is something that shouldn't be upgraded in a minor version of requests, because it causes breaking changes. For example, we saw our elasticsearch client pull in the 2.0.0 version of urllib3 and it caused this failure on our machine. To resolve, we're adding a constraints.txt file, but not something that should be included in a minor release of requests.
|
Landon, that's ultimately a decision for users of Requests to decide. We're doing a very temporary overlap of this pin during launch to prevent legitimate bugs being pushed to millions of software environments. We have no intention to release a new major version of Requests. Urllib3 2.0 was painstakingly made largely backwards compatible. We'll provide a prominent notice that we now support this version in the next minor release, and users are free to pin to older versions as needed. |
To make what @nateprewitt already eloquently stated a bit more explicit: We will not be requiring urllib3 2.0, we will be adding support for it by raising the version constraint and ensuring requests works correctly with that version. If you cannot use 2.0 you can continue to prevent it from being installed and we won't break of you use 1.26.x |
The same thing happened to us for ansible. |
Given the edge cases remaining have been thoroughly documented in the urllib3 2.0 migration guide and we haven't heard any noise here in a couple months I'm going to close and lock this thread with final steps for anyone reading this.
|
The latest version of
requests
(2.29.0
) does not supporturllib3
2.0.0
urllib3
2.0.0
was just released: https://github.com/urllib3/urllib3/releases/tag/2.0.0But currently
requests
2.29.0
has a range bound on it:<1.27 and >=1.21.1
forurllib3
.If you try to install a package that has
urllib3==2.0.0
as a dependency (while using the latest version ofrequests
), there will be errors:Expecting
requests
to support the latest version ofurllib3
.(For Python 3.7 or newer)
The text was updated successfully, but these errors were encountered: