Potential dependency conflicts between geographica-longitude and aiohttp

[NeolithEra]

Hi, as shown in the following full dependency graph of geographica-longitude, geographica-longitude requires aiohttp >=3.5,<4.0, geographica-longitude requires aioauth-client >=0.16.2,<0.17.0 (aioauth-client 0.16.2 will be installed, i.e., the newest version satisfying the version constraint), and directed dependency aioauth-client 0.16.2 transitively introduces aiohttp >=3.0.0.

Obviously, there are multiple version constraints set for aiohttp in this project. However, according to pip's “first found wins” installation strategy, aiohttp 3.6.2 (i.e., the newest version satisfying constraint >=3.5,<4.0) is the actually installed version.

Although the first found package version aiohttp 3.6.2 just satisfies the later dependency constraint （aiohttp >=3.0.0), such installed version is very close to the upper bound of the version constraint of Aiohttp specified by aioauth-client 0.16.2.

Once aioauth-client upgrades，its newest version will be installed. Therefore, it will easily cause a dependency conflict (build failure), if the upgraded aioauth-client version introduces a higher version of Aiohttp, violating its another version constraint >=3.5,<4.0.

According to the release history of aioauth-client, it habitually upgrates Aiohttp in its recent releases. For instance, aioauth-client 0.9.1 upgrated Aiohttp’s constraint from _ * to ==1.1.6_, aioauth-client 0.10.0 upgrated Aiohttp’s constraint from ==1.1.6 to >=1.1.6, and aioauth-client 0.11.0 upgrated Aiohttp’s constraint from >=1.1.6 to >=3.0.0.

As such, it is a warm warning of a potential dependency conflict issue for geographica-longitude.

Dependency tree

geographica-longitude - 0.9.7
| +- aioauth-client(install version:0.16.2 version range:>=0.16.2,<0.17.0)
| | +- aiohttp(install version:3.6.2 version range:>=3.0.0)
| +- aiohttp(install version:3.6.2 version range:>=3.5,<4.0)
| +- aredis(install version:1.1.8 version range:>=1.1,<2.0)
| | +- contextvars(install version:2.4 version range:*)
| +- asyncio(install version:3.4.3 version range:>=3.4,<4.0)
| +- carto(install version:1.11.1 version range:>=1.6,<2.0)
| +- cartoframes(install version:0.9.2 version range:>=0.9.0,<0.10.0)
| | +- appdirs(install version:1.4.3 version range:>=1.4.3)
| | +- carto(install version:1.11.1 version range:>=1.4.0)
| | +- pandas(install version:0.24.2 version range:>=0.20.1)
| | +- tqdm(install version:4.45.0 version range:>=4.14.0)
| | +- webcolors(install version:1.11.1 version range:>=1.7.0)
| +- environs(install version:5.2.1 version range:>=5.0,<6.0)
| | +- marshmallow(install version:3.5.1 version range:>=2.7.0)
| | +- python-dotenv(install version:0.12.0 version range:*)
| | | +- typing(install version:3.7.4.1 version range:*)
| +- geolibs-cartoasync(install version:0.0.4 version range:>=0.0.4,<0.0.5)
| | +- aiohttp(install version:3.6.2 version range:>=3.5,<4.0)
| +- pandas(install version:0.24.2 version range:>=0.24.1,<0.25.0)
| +- psycopg2-binary(install version:2.8.5 version range:>=2.8,<3.0)
| +- pyjwt(install version:1.7.1 version range:>=1.7,<2.0)
| +- redis(install version:3.4.1 version range:>=3.2,<4.0)

Thanks for your help.
Best,
Neolith

[NeolithEra]

Suggested Solution

1. Loosen the version range of aiohttp to be >=3.5.
2. Remove your direct dependency aiohttp, and use the aiohttp transitively introduced by aioauth-client.
3. Change your direct dependency aioauth-client to be <=0.16.2.
   @juanrmn Which solution do you prefer, 1 ,2or 3?
   Please let me know your choice. May I pull a request to solve this issue?

[juanrmn]

Hi @NeolithEra,

I would say that option 3 is the most conservative, so I would choose that one right now. Thank you very much for your suggestions, and of course, you're free to pull a request for this 🙂

However, I would like to upgrade these dependencies soon, I'm pretty sure the code will work nicely with newer versions of both aiohttp and aioauth-client, but I need some time to test it well.