Hello,
I’d like to illustrate the problem using the grpcio
and grpcio_tools
packages: both are currently at version v1.49.0 and both live in the same Github repo, in subfolders src/python/grpcio/ and tools/distrib/python/grpcio_tools/, respectively. Together with other packages and other languages, their versions bump in lock-step when released.
When I use both packages in a project then I can’t pin them because other package dependencies would conflict with that pin, and pip
would be unable to resolve the conflict. So I end up with dependency declarations like
dependencies = [
"grpcio >=1.46.0,<2.0.0",
"grpcio-tools >=1.46.0,<2.0.0",
]
And that’s where things get a little iffy: it may happen due to dependencies declared in other packages that the two packages install in different versions. If the packages use semantic versioning correctly then all may be well, as is the case with grpcio-tools
and its dependency on grpcio
(code) — still there is a good chance that the two packages install at different versions.*
Packages whose type stubs ship as a third-party package are other examples of the problem.
I wonder if it would make sense to express a “package reference” as a version specifier (expanding on PEP 440), for example:
dependencies = [
"grpcio >=1.46.0,<2.0.0",
"grpcio-tools @=grpcio",
]
meaning that both packages have the same version range but eventually are expected to resolve to the same installed version within that range. If the target package of a @=
isn’t specified then that’d be an error; if the target package pins then that same pinned version would apply.
Considering that @
is already used for direct file references, using @=
may be confusing or ambiguous.
I’m curious what people make of this
Jens
—————
* Other packages, however, are out of lockstep completely as is the case with googleapi-common-protos
at v1.56.4 and its third-party, unmaintained stubs package at v2.0.0. Likewise, the protobufs
package at v4.21.6 (for Python) and stubs in typeshed at v3.20. Ideally, I think, they ought to release at the same versions but that’s a different issue altogether.