Minimum-Supported-Version (MSV) strategy for dependency version

T-256 · November 5, 2023, 2:10pm

Motivation

Using >= specifier when adding a dependency is the most common way in Python standardized package managing.

When a dependency released a version that is incompatible in our package, it is recommended for our package to release a patch version with pinned incompatible version(s) of dependency (e.g. using <).

When that dependency resolved incompatibility in next versions, what we do is keep pinned incompatible versions with new specifiers (e.g. using ! and *).

We keep this incompatibility pinning until our minimum needed version exceed them.

Is there any way to pin versions without learning complex version specifiers without too much maintaining costs?

Minimum Supported Version (MSV) with Conflict strategy.

In this strategy we put minimum tested-and-working version of dependency with optional conflicted versions may happen in middle of dependency’s release history:

[project]
dependencies = [
    "dependency MSV [CONFLICT]"
]

(Syntax should be more discussed)

MSV only accepts version schemes (specifiers not acceptable!)
CONFLICT (optional) accepts version schemes with limited comma-separated specifiers (“>= <= > <”)

NOTE: When bracket found, legacy strategy should be omitted, so syntaxes wider than above is not acceptable!

Examples

Empty conflicts, means all versions greater or equal to “2.0.0” intended to be work:

[project]
dependencies = [
    "mypkg 2.0.0 [ ]"
]

Since MSV doesn’t accept any specifier, you can omit the bracket (same behavior in above):

[project]
dependencies = [
    "mypkg 2.0.0"
]

Specified versions put in bracket intended to NOT be acceptable by our package:

[project]
dependencies = [
    "mypkg 2.0.0 [ >=2.3.4, <2.5.0 ]"
]

Show the differences

Assume mypkg release history is:

"2.0.0", "2.1.0", "2.2.0", "2.3.0", "2.3.1", "2.3.2", "2.3.3",
"2.3.4", "2.3.5", "2.3.6", "2.3.7", "2.4.0", "2.4.1", "2.4.2",
"2.4.3", "2.5.0", "2.6.0", "2.7.0", "3.0.0", "4.0.0", "5.0.0"

And the incompatibility started at “2.3.4” and resolved at “2.5.0”.

With today’s version specifiers:

[project]
dependencies = [
    "mypkg >=2.0.0, !=2.3.4, !=2.3.5, !=2.3.6, !=2.3.7, !=2.4.*"
]

Incorrect to use: (it also excludes 2.3.0 until 2.3.3 while are compatible!)

[project]
dependencies = [
    "mypkg >=2.0.0, !=2.3.*, !=2.4.*"
]

With MSV:

[project]
dependencies = [
    "mypkg 2.0.0 [ >=2.3.4, <2.5.0 ]"
]

(MSV’s only-conflict specifiers with less in count, has better final visualizing.)

pradyunsg · November 5, 2023, 3:14pm

Hi @T-256! This seems specific to Poetry, and not general Python packaging related.

dependency = "2.0.0"

This looks like Poetry’s syntax for specifying dependencies. Note that Poetry uses their own user-facing dependency specification format that is different from the rest of the Python packaging ecosystem at large.

I suggest that you reach out to the maintainers of Poetry via one of the project’s support forums (they seems to be GitHub Discussions on python-poetry/poetry and the Poetry-specific Discord channel which is linked from their README).

T-256 · November 5, 2023, 3:21pm

Oh sorry, I ignored project.dependencies for more compact description. Edited now, sorry to make you read again.

Actually, before here, I opened discussion in Poetry but decided to move to python because lack of support for the new syntax in WHEEL specification.