How does the dependency resolution works with pip when a package specify a range and another doesn't?

Question

I have a requirement.txt with only 2 dependencies:

sentry-sdk==0.7.11
requests==2.21.0

I've checked the setup.py of both packages and both depend on urllib3:

• request provides a range that does not accpet the 1.25
• sentry-sdk instead does not specify a specific version or range

recently a new version of urllib3 (1.25) has been released when I install the dependencies with pip I get the following error:

ERROR: requests 2.21.0 has requirement urllib3<1.25,>=1.21.1, but you'll have urllib3 1.25 which is incompatible.

Is this behavior expected or is a bug in pip?

What is the meaning of not specifying a version of a dependency in install_requires? "force the latest version"?

Answer 1

The reason you observe this behavior is because pip installs sentry-sdk first. Since this does not have the version contraint, you get the latest version (1.25). When requests is to be installed, this version is incompatible.

The only way to solve this is to solve all version constraints globally, which AFAIK pip cannot do.

The solution is to specify the version of urllib3 you want in your requirements.txt (since you know which versions of its dependencies you use). This is probably good pratice anyway for transient packages without constraints.

Actually, the way to have reproducible builds with pip is to always do

pip freeze > requirements.txt

and check in the result. This way a third party package update won't break your build, and you can always manually upgrade later (and check in the result).