Support for urllib3
v1.25 (released today/yesterday). The usual yada-yada "my CI is broken".
Multiple packages that we depend on (eg google.cloud.storage
, azure.storage
) have strict version-check on requests
using pkg_resources.require('requests >= 2.18.0')
. Any unmet dependencies in the chain below and including requests
will cause the check to fail and raise an exception. urllib3<1.25
is currently one such dependency.
No exception raised on import
pkg_resources.ContextualVersionConflict: (urllib3 1.25 (/usr/local/lib/python3.6/dist-packages), Requirement.parse('urllib3<1.25,>=1.21.1'), {'requests'})
The above exception was the direct cause of the following exception:
ImportError: ``requests >= 2.18.0`` is required by the ``google.resumable_media.requests`` subpackage.
It can be installed via
pip install google-resumable-media[requests].
pip3 install sentry-sdk google-cloud-storage
>>> from google.cloud import storage
md5-cbc1943a1d569f335059802806d81765
/home/laurie/env-tmp/lib/python3.6/site-packages/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.25) or chardet (3.0.4) doesn't match a supported version!
RequestsDependencyWarning)
{
"chardet": {
"version": "3.0.4"
},
"cryptography": {
"version": ""
},
"idna": {
"version": "2.8"
},
"implementation": {
"name": "CPython",
"version": "3.6.7"
},
"platform": {
"release": "4.18.0-17-generic",
"system": "Linux"
},
"pyOpenSSL": {
"openssl_version": "",
"version": null
},
"requests": {
"version": "2.21.0"
},
"system_ssl": {
"version": "1010100f"
},
"urllib3": {
"version": "1.25"
},
"using_pyopenssl": false
}
Note that a pull-request fixing this should close #5065 and #4961
Also note that a solution to the above reproduction example is:
pip3 install sentry-sdk google-cloud-storage 'urllib3<1.25'
There’s already a PR in the works: https://github.com/kennethreitz/requests/pull/5063
@nateprewitt FYI 1.25.2 will be released very soon, I would recommend in addition to disallowing 1.25.0 also disallow 1.25.1?
Our CI pipeline starts to get an error [integration_py3_docker_metric] 19-04-29:10:26:57 ERROR [clipper_metric_docker.py:127] Failed to parse: http://localhost:44328/api/v1/series?match[]=clipper_mc_parse_time_ms_sum
from April 22nd, from when urllib3
version 1.25 was released. Do you think this is related to this issue?
@rkooo567, have you tried running the CI with the additional requirement urllib3<1.25
?
@EpicWink Yes. And it seems like it resolves an issue. I also found out urllib3==1.25.2
also resolves the problem.
urllib3 1.24.3 has been released which fixes only the CRLF injection issue for 1.24.X users.
Here's a possibly dumb question: why does requests restrict urllib3 to be < 1.25? Since many other pip dependencies are going to continue to increase their minimum allowed urllib3 version, it seems like this is going to guarantee two things:
Does urllib3 make breaking changes that often that we're worried about just trusting their versioning? Or is there another concern?
Based on the number of references to this issue in other projects’ trackers, I’m sure there are a lot of other project maintainers that would appreciate a resolution to this sooner rather than later… :) (Pointing it out since issue references don’t trigger e‐mail notifications.)
+1 because it aggravates problems caused by Pip's lack of a dependency resolver in some cases: https://github.com/pradyunsg/zazo/issues/14
If you think that's fun, look at all the things that use requests and can't update urllib3. (we do some manual checking)
http://logs.openstack.org/36/658636/3/check/requirements-tox-py27-check-uc/48d2334/job-output.txt.gz#_2019-05-14_06_33_55_887702
Resolved with #5092, release is up on pypi now. Thanks again @EpicWink
Most helpful comment
Here's a possibly dumb question: why does requests restrict urllib3 to be < 1.25? Since many other pip dependencies are going to continue to increase their minimum allowed urllib3 version, it seems like this is going to guarantee two things:
Does urllib3 make breaking changes that often that we're worried about just trusting their versioning? Or is there another concern?