Hey all, Cython 3.0.0 just released today, which broke our install of statsmodels. Basically, the statsmodel pyproject.toml defined a build system “requires list” that allowed for cython 3.0.0 to be used (when it’s in fact not compatible).
# more pyproject.toml
[build-system]
requires = [
"setuptools",
"wheel",
"cython>=0.29.22",
"oldest-supported-numpy",
"scipy>=1.3",
]
For normal install requires dependencies, I can (and do) pin exact versions for every requirement that gets installed. So even if a package maintainer forgets to set an upper bound for their install requires package, I’ll be sure that it will be frozen in time with the exact versions installed each time.
However, with the build-system requires packages (which get installed as the package tries to build) don’t seem to respect any currently installed packages or pinned versions in a requirements file. In fact, my understanding is that the build system installs its requirements into a special virtualenv used just for the build.
The problem with this is that I don’t seem to have any control over what the build system does in this virtualenv. If cython releases 3.0.0, and statsmodel’s build system just tries to install the latest version of cython, I have no way to pin what the build system tries to install. I’m completely dependent on every maintainer of every package that I use to follow semantic versioning exactly and to not introduce any bugs in their patch releases. This make immutable builds very difficult, and risky.
Generally speaking, what is the recommended way to pin/freeze dependencies installed by 3rd party packages (which you don’t control) such that they build using the same requirements every time until explicitly updated?
Note: I’m not picking on statsmodel specifically; in fact I think newer versions fixed this issue. However, I’ve been encountering this situation with pip more and more lately, where I can’t seem to pin build requirements and a build requirement version slips. Figuring out how to pin these build dependencies is the crux of my question.