I have the following two dependencies in my requirements.txt:

$ pip3 install elasticsearch==7.0.0 requests==2.21.0
Collecting elasticsearch==7.0.0
  Using cached https://files.pythonhosted.org/packages/a8/27/d3a9ecd9f8f972d99da98672d4766b9f62ef64c323c40bb5e2557e538ea3/elasticsearch-7.0.0-py2.py3-none-any.whl
Collecting requests==2.21.0
  Using cached https://files.pythonhosted.org/packages/7d/e3/20f3d364d6c8e5d2353c72a67778eb189176f08e873c9900e10c0287b84b/requests-2.21.0-py2.py3-none-any.whl
Collecting urllib3>=1.21.1 (from elasticsearch==7.0.0)
  Using cached https://files.pythonhosted.org/packages/39/ec/d93dfc69617a028915df914339ef66936ea976ef24fa62940fd86ba0326e/urllib3-1.25.2-py2.py3-none-any.whl
Collecting certifi>=2017.4.17 (from requests==2.21.0)
  Using cached https://files.pythonhosted.org/packages/60/75/f692a584e85b7eaba0e03827b3d51f45f571c2e793dd731e598828d380aa/certifi-2019.3.9-py2.py3-none-any.whl
Collecting chardet<3.1.0,>=3.0.2 (from requests==2.21.0)
  Using cached https://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl
Collecting idna<2.9,>=2.5 (from requests==2.21.0)
  Using cached https://files.pythonhosted.org/packages/14/2c/cd551d81dbe15200be1cf41cd03869a46fe7226e7450af7a6545bfc474c9/idna-2.8-py2.py3-none-any.whl
requests 2.21.0 has requirement urllib3<1.25,>=1.21.1, but you'll have urllib3 1.25.2 which is incompatible.
Installing collected packages: urllib3, elasticsearch, certifi, chardet, idna, requests
Successfully installed certifi-2019.3.9 chardet-3.0.4 elasticsearch-7.0.0 idna-2.8 requests-2.21.0 urllib3-1.25.2

I want to understand this warning that appeared in the above output:

requests 2.21.0 has requirement urllib3<1.25,>=1.21.1, but you'll have urllib3 1.25.2 which is incompatible.

Why did pip install urllib3 1.25.2? It does not seem to make sense. The required dependencies are:

  • elasticsearch==7.0.0 requires urllib3>=1.21.1 (source)
  • requests==2.21.0 requires urllib3>=1.21.1,<1.25 (source)

Both dependencies could have been easily satisfied by installing urllib3 1.24.3. Why did pip3 then install urllib3 1.25.2? Isn't deciding the correct version according to the available requirements one of its responsibility?

It this a bug in pip3 or is this functioning as designed?

1 Answers

1
maciek On

As it is now, pip doesn’t have true dependency resolution, but instead simply uses the first specification it finds for a project.

You can add constraints.txt file with urllib3==1.24.3 and then invoke:

$ pip install -r requirements.txt -c contraints.txt

That would do the job. When updating requirements remember to update also contraints.

Alternatively you can use one of Python dependency managers:

See Requirements Files and Constraints Files sections in pip user guide and Managing Application Dependencies tutorial.