I was walking through some of my core dependencies recently, and identified that there is a project which has non PEP 508 compliant dependency specifications. I identified this because packaging.specifiers.Specifier raised when parsing the specifier, but was surprised to see that pip had no problem with it.
The specifier in question was
numpy>='1.20'. This came from the flox project (specifically this change), and you can verify for yourself that
pip has no problem with it using
python -m pip install flox==0.6.7.
The reason for posting here is to identify the best course of action regarding this kind of thing. Should:
pipcontinue to support such out-of-spec specifiers?
- PEP-508 be updated to support quoted versions (and perhaps project names)?
- PEP-508 be updated to document that pip does not strictly adhere to the PEP (and note the specific differences)?
- PEP-440 be updated to mention the relation to PEP-508
I also post here because this is the kind of difference that could cause a surprise if
packaging.specifier for its specifier parsing.