I’d like to illustrate the problem using the
grpcio_tools packages: both are currently at version v1.49.0 and both live in the same Github repo, in subfolders src/python/grpcio/ and tools/distrib/python/grpcio_tools/, respectively. Together with other packages and other languages, their versions bump in lock-step when released.
When I use both packages in a project then I can’t pin them because other package dependencies would conflict with that pin, and
pip would be unable to resolve the conflict. So I end up with dependency declarations like
dependencies = [ "grpcio >=1.46.0,<2.0.0", "grpcio-tools >=1.46.0,<2.0.0", ]
And that’s where things get a little iffy: it may happen due to dependencies declared in other packages that the two packages install in different versions. If the packages use semantic versioning correctly then all may be well, as is the case with
grpcio-tools and its dependency on
grpcio (code) — still there is a good chance that the two packages install at different versions.*
Packages whose type stubs ship as a third-party package are other examples of the problem.
I wonder if it would make sense to express a “package reference” as a version specifier (expanding on PEP 440), for example:
dependencies = [ "grpcio >=1.46.0,<2.0.0", "grpcio-tools @=grpcio", ]
meaning that both packages have the same version range but eventually are expected to resolve to the same installed version within that range. If the target package of a
@= isn’t specified then that’d be an error; if the target package pins then that same pinned version would apply.
@ is already used for direct file references, using
@= may be confusing or ambiguous.
I’m curious what people make of this
* Other packages, however, are out of lockstep completely as is the case with
googleapi-common-protos at v1.56.4 and its third-party, unmaintained stubs package at v2.0.0. Likewise, the
protobufs package at v4.21.6 (for Python) and stubs in typeshed at v3.20. Ideally, I think, they ought to release at the same versions but that’s a different issue altogether.