Pip supporting non PEP508 dependency specifiers

I was walking through some of my core dependencies recently, and identified that there is a project which has non PEP 508 compliant dependency specifications. I identified this because packaging.specifiers.Specifier raised when parsing the specifier, but was surprised to see that pip had no problem with it.

The specifier in question was numpy>='1.20'. This came from the flox project (specifically this change), and you can verify for yourself that pip has no problem with it using python -m pip install flox==0.6.7.

The reason for posting here is to identify the best course of action regarding this kind of thing. Should:

  • pip continue to support such out-of-spec specifiers?
  • PEP-508 be updated to support quoted versions (and perhaps project names)?
  • PEP-508 be updated to document that pip does not strictly adhere to the PEP (and note the specific differences)?
  • PEP-440 be updated to mention the relation to PEP-508

I also post here because this is the kind of difference that could cause a surprise if pip adopts packaging.specifier for its specifier parsing.

IMO this is just a pip bug that should be fixed. It’s non-urgent and we should consider how to warn people about the behaviour change, but that’s all.

Thanks for your consideration. I went ahead and added to the tracker in pip currently supports invalid PEP-508 specifiers · Issue #11746 · pypa/pip · GitHub.

Can this kind of issue be also flagged / blocked when uploading to PyPI?

That would be a matter for Warehouse.

Also, have you reported the issue to the flox project? The key thing here is for them to fix the incorrect metadata, and yank the bad release from PyPI.

This is a known deviation. pip’s currently on packaging 21.3; and packaging implemented strictness around this in 22.0.

See Removal of `LegacyVersion` and `LegacySpecifier` · Issue #530 · pypa/packaging · GitHub and Upgrade the vendored `packaging` to 22.0+ · Issue #11715 · pypa/pip · GitHub.

1 Like

That will start happening automatically when we upgrade to a newer version of packaging.

Does PyPI parse dependency specifiers upon upload, and block uploads if things don’t parse? My understanding was that versions are enforced but specifiers are not.

1 Like