Unpin version of requests

[fh-mthomson]

While trying to add posit-sdk to a requirements.txt file, we hit a lot of conflicts with other packages where the required version of requests could not be satisfied.

My understanding (correct me if I'm wrong!) is that posit-sdk requires an exact version of requests, per https://github.com/posit-dev/posit-sdk-py/blob/main/requirements.txt

is it possible to relax this constraint (e.g., floor, as needed)?

[nealrichardson]

It looks like the version is not strictly pinned in the project. I created a new virtualenv and installed the latest requests and then posit-sdk from PyPI, and I see this line in the output:

Requirement already satisfied: requests<3,>=2.31.0 in ./venv/lib/python3.12/site-packages (from posit-sdk) (2.32.3)

That matches here: https://github.com/posit-dev/posit-sdk-py/blob/main/pyproject.toml#L22

For background on the discrepancy, see #5 for where the requirements.txt file was introduced to the repo.

If you're having trouble installing, could you share some example output, or a reproducible example?

[fh-mthomson]

Thank you for clarifying!!

[fh-mthomson]

A follow up question - do you know if posit-sdk truly requires requests>=2.31.0? It does look like it has been there since the first commit: 4884968

In our case, we have a monorepo with a lot of non-current dependencies, so it caused a lot of constraints. Ultimately, we had to re-implement aspects of the posit-sdk lib using the requests package directly, so a lower pinned version could add more flexibility.

Totally understand if that's not feasible!

[nealrichardson]

API-wise, I don't think we depend on anything in requests that's particularly new. Looks like 2.31.0 was just the current release when we started the project.

In principle, I don't object to setting it to something more permissive, like >=2,<3 (2.0 was released in 2013). Though it's possible our security team would have concerns. I can check with them. There have been a number of CVEs on requests over the years, so regardless of what we do here, it's probably a good idea for you to update your stack to the latest anyway, if you can.

[tdstein]

@fh-mthomson, can you share your minimum version requirement? We want to encourage using newer versions of requests, but lowering the floor is an option.

Another reason for the current setting is that we have not tested against requests before v2.31.0. If we lower the floor, we would like to set up automated testing against those versions to ensure true compatibility.

[fh-mthomson]

That all makes sense, thanks for sharing!

can you share your minimum version requirement?

Yep! The current binding constraint is a library requiring requests<2.25.2; so, looking at the release history, a satisfactory version would seem to be 2.25.1 (Dec 2020).

Totally hear you a broader upgrade would be advisable; but since the current repo we're navigating a large legacy repo, it's non-trivial to execute. Fully understand if y'all draw a line in the sand to require a more modern version here - it's not critical on our end :)