Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade min dependency versions #428

Open
deeprave opened this issue Nov 18, 2024 · 3 comments
Open

Upgrade min dependency versions #428

deeprave opened this issue Nov 18, 2024 · 3 comments
Assignees
@mariofix
Labels
in progress

Comments

@deeprave
Copy link

deeprave commented Nov 18, 2024
edited
Loading

The configured requires-python and the Django version dependency are currently outdated and needlessly prevent working with contemporary versions of dependencies

The Django dependency and the requires-python version should be updated to 4.1 and 3.10 respectively.

Installing contemporary Django and Python versions is impossible with the current dependency versions due to the minimum version requirements.

Other dependencies, such as urllib3, sqlparse, and requests, also need to be updated for a different reason: recent CVEs have been reported on all three.

$ uv add "Django>=5.1"
  × No solution found when resolving dependencies:
  ╰─▶ Because the requested Python version (>=3.7) does not satisfy Python>=3.10 and django>=5.1 depends on Python>=3.10, we can conclude that django>=5.1 cannot be used.
      And because only the following versions of django are available:
          django<=5.1
          django==5.1.1
          django==5.1.2
          django==5.1.3
      we can conclude that django>=5.1 cannot be used.
      And because your project depends on django>=5.1 and your project requires django-payments[stripe], we can conclude that your projects's requirements are unsatisfiable.

      hint: The `requires-python` value (>=3.7) includes Python versions that are not supported by your dependencies (e.g., django>=5.1 only supports >=3.10). Consider using a more restrictive `requires-python` value (like >=3.10).
  help: If you want to add the package regardless of the failed resolution, provide the `--frozen` flag to skip locking and syncing.
@deeprave
Copy link
Author

https://security.snyk.io/vuln?search=py3-requests
https://security.snyk.io/vuln?search=py3-sqlparse
https://security.snyk.io/vuln?search=py3-urllib3

@mariofix
Copy link
Member

Can you provide more information about your environment? I had no problems using a newly created project

uv add django-payments
Using CPython 3.11.2 interpreter at: /usr/bin/python3.11
Creating virtual environment at: .venv
Resolved 13 packages in 197ms
Prepared 11 packages in 676ms
Installed 11 packages in 277ms
 + asgiref==3.8.1
 + certifi==2024.8.30
 + charset-normalizer==3.4.0
 + django==5.1.3
 + django-payments==3.0.1
 + django-phonenumber-field==8.0.0
 + idna==3.10
 + phonenumberslite==8.13.50
 + requests==2.32.3
 + sqlparse==0.5.2
 + urllib3==2.2.3

@deeprave
Copy link
Author

deeprave commented Nov 18, 2024
edited
Loading

Something like:

$ gh repo clone jazzband/django-payments
$ cd django-payments
$ uv sync
(works fine)
$ uv add "Djang>=5.1"
(as above)

@mariofix mariofix self-assigned this Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mariofix mariofix

Labels
in progress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@deeprave @mariofix