Skip to content

[refactor] Do not use pinned versions in requirements.txt #4714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
thorsten-klein wants to merge 21 commits into
base: master
Choose a base branch
from
Open

[refactor] Do not use pinned versions in requirements.txt #4714

thorsten-klein wants to merge 21 commits into from

Conversation

@thorsten-klein
Copy link

@thorsten-klein thorsten-klein commented Nov 28, 2025
edited
Loading

Follow-up of #4501.

It is not recommended by the Python Packaging User Guide to pin dependencies. Instead, use version ranges or minimum/maximum versions wherever possible.

Why?

With zephyr 4.3.0 I get some conflict:

The conflict is caused by:
    The user requested setuptools==70.2.0
    The user requested setuptools==70.2.0
    codechecker 6.26.2 depends on setuptools==70.2.0
    hidapi 0.14.0.post4 depends on setuptools>=19.0
    setuptools-scm 8.1.0 depends on setuptools
    spsdk 3.4.0 depends on setuptools<81 and >75

@thorsten-klein thorsten-klein marked this pull request as draft December 1, 2025 12:33
@thorsten-klein thorsten-klein force-pushed the do-not-pin-versions branch 3 times, most recently from 7e361b3 to 39d6161 Compare December 1, 2025 14:59
@thorsten-klein
Copy link
Author

thorsten-klein commented Dec 1, 2025
edited
Loading

@bruntib Can you please support?
I have made only minimal changes (replaced few == with <=) and the CI is already failing ...

UPDATE: The failing build also fails on the main branch, so I’ve temporarily disabled it.
I’ve replaced all == version pins with <= to allow more flexible dependency resolution.

Unfortunately, some of codechecker's python dependencies are quite outdated. As a result, users installing with
pip install -r zephyr/requirements.txt -r codechecker/requirements.txt
are still ending up with those older versions.

$ curl -s https://pypi.org/pypi/codechecker/6.26.2/json | jq '.info.requires_dist'
[
  "sqlalchemy==1.4.54",
  "sarif-tools==3.0.4",
  "types-PyYAML==6.0.12.12",
  "Authlib==1.3.1",
  "psutil==5.9.8",
  "portalocker==3.1.1",
  "gitpython==3.1.41",
  "thrift==0.22.0",
  "PyYAML==6.0.1",
  "requests==2.32.4",
  "alembic==1.5.5",
  "multiprocess==0.70.15",
  "lxml==5.3.0",
  "setuptools==70.2.0"
]

Would you maybe have some time to update and integrate the newer pip dependencies when possible?

@thorsten-klein thorsten-klein force-pushed the do-not-pin-versions branch 2 times, most recently from f24181a to 1b0c655 Compare December 2, 2025 08:46
@thorsten-klein
Copy link
Author

thorsten-klein commented Dec 3, 2025

I checked that the issue is resolved as follows (using nodejs v25.2.0):

$ export NODE_OPTIONS="--localstorage-file=/tmp/localstorage.json"
$ make dist

$ python3 -m venv .venv
$ source .venv/bin/activate
$ pip3 install dist/codechecker-*.tar.gz -r /path/to/zephyr/scripts/requirements.txt

I can verify that this works and e.g. setuptools is in newer version

$ pip freeze --all | grep setuptools==
setuptools==80.9.0```

@thorsten-klein
[refactor] Do not use pinned versions in requirements.txt
1e119ae 
It is not recommended by the Python Packaging User Guide to pin
dependencies. Instead, use minimum or maximum versions wherever
possible.

Signed-off-by: Pieter De Gendt <[email protected]>
Signed-off-by: Thorsten Klein <[email protected]>
@thorsten-klein
pylint<3.3
277017c 
analyzer/tools/merge_clang_extdef_mappings/requirements_py/dev/requirements.txt
analyzer/tools/statistics_collector/requirements_py/dev/requirements.txt
@thorsten-klein
Authlib<2
784d6c4
@thorsten-klein
psutil<8
1fd2a5d
@thorsten-klein
portalocker<4
d7aae2f
@thorsten-klein
gitpython<4
200db9d
@thorsten-klein
alembic<2
7302f37
@thorsten-klein
multiprocess<0.71
50dec77
@thorsten-klein
PyYAML<7
5f56d7f
@thorsten-klein
sarif-tools<4
94aed09
@thorsten-klein
argcomplete<4
71c2962
@thorsten-klein
emoji<3
2fdf975
@thorsten-klein
lxml<6
e5eb316
@thorsten-klein
requests<3
207b96f
@thorsten-klein
setuptools<81
61b5aba 
analyzer/tools/merge_clang_extdef_mappings/requirements_py/dev/requirements.txt
analyzer/tools/statistics_collector/requirements_py/dev/requirements.txt

analyzer/tools/statistics_collector/requirements_py/dev/requirements.txt
@thorsten-klein
thrift<0.23
4d898f2
@thorsten-klein
types-PyYAML<7
3aada68
@thorsten-klein
semver<4
2150117
@thorsten-klein
sqlalchemy<2
150f790
@thorsten-klein
update labels requirements
bef8bcb
@pdgendt pdgendt mentioned this pull request Dec 3, 2025
Closed
@thorsten-klein thorsten-klein marked this pull request as ready for review December 3, 2025 11:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bruntib bruntib Awaiting requested review from bruntib bruntib is a code owner

@vodorok vodorok Awaiting requested review from vodorok vodorok is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thorsten-klein