Pip supporting non PEP508 dependency specifiers

pelson · January 24, 2023, 8:30am

I was walking through some of my core dependencies recently, and identified that there is a project which has non PEP 508 compliant dependency specifications. I identified this because packaging.specifiers.Specifier raised when parsing the specifier, but was surprised to see that pip had no problem with it.

The specifier in question was numpy>='1.20'. This came from the flox project (specifically this change), and you can verify for yourself that pip has no problem with it using python -m pip install flox==0.6.7.

The reason for posting here is to identify the best course of action regarding this kind of thing. Should:

pip continue to support such out-of-spec specifiers?
PEP-508 be updated to support quoted versions (and perhaps project names)?
PEP-508 be updated to document that pip does not strictly adhere to the PEP (and note the specific differences)?
PEP-440 be updated to mention the relation to PEP-508

I also post here because this is the kind of difference that could cause a surprise if pip adopts packaging.specifier for its specifier parsing.

pf_moore · January 24, 2023, 8:59am

IMO this is just a pip bug that should be fixed. It’s non-urgent and we should consider how to warn people about the behaviour change, but that’s all.

pelson · January 24, 2023, 9:10am

Thanks for your consideration. I went ahead and added to the tracker in pip currently supports invalid PEP-508 specifiers · Issue #11746 · pypa/pip · GitHub.

Can this kind of issue be also flagged / blocked when uploading to PyPI?

pf_moore · January 24, 2023, 9:31am

That would be a matter for Warehouse.

Also, have you reported the issue to the flox project? The key thing here is for them to fix the incorrect metadata, and yank the bad release from PyPI.

pradyunsg · January 24, 2023, 9:40am

This is a known deviation. pip’s currently on packaging 21.3; and packaging implemented strictness around this in 22.0.

See Removal of `LegacyVersion` and `LegacySpecifier` · Issue #530 · pypa/packaging · GitHub and Upgrade the vendored `packaging` to 22.0+ · Issue #11715 · pypa/pip · GitHub.

dustin · January 24, 2023, 4:08pm

That will start happening automatically when we upgrade to a newer version of packaging.

pradyunsg · January 24, 2023, 4:12pm

Does PyPI parse dependency specifiers upon upload, and block uploads if things don’t parse? My understanding was that versions are enforced but specifiers are not.

dstufft · January 24, 2023, 4:25pm

github.com

pypi/warehouse/blob/aa56a2a50d9578ffb1886ce48d0773ad5853e036/warehouse/forklift/legacy.py#L278-L289


      
          def _validate_legacy_dist_req(requirement):
              try:
                  req = packaging.requirements.Requirement(requirement)
              except packaging.requirements.InvalidRequirement:
                  raise wtforms.validators.ValidationError(
                      f"Invalid requirement: {requirement!r}."
                  ) from None
          
          
    if req.url is not None:
                  raise wtforms.validators.ValidationError(
                      f"Can't have direct dependency: {requirement!r}"
                  )

Topic		Replies	Views
Announcement: pip 23.2 release! Packaging	8	5859	July 22, 2023
Community testing of packaging tools against non-Warehouse indexes Packaging	17	1154	February 4, 2022
RFC: improving pip security with package signing (PEP-458) Packaging	3	924	January 14, 2021
PEP 631 - Dependency specification in pyproject.toml based on PEP 508 Packaging	40	5261	September 18, 2020
Pip 19.0 is now available! Packaging	11	16365	February 25, 2019

Pip supporting non PEP508 dependency specifiers

Related Topics