-
Notifications
You must be signed in to change notification settings - Fork 945
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uv installs really old version of web3 in the presence of numpy and streamlit on 3.10, unlike pip #4372
Comments
This is a contrived example to show that something is broken. Adding lower bounds seems like it would make it more contrived? The repo this broke on has a much longer dependency list, which took me a while to sort through to narrow it down to these 3 as the cause. See our pyproject.toml here: https://github.com/delvtech/agent0/blob/main/pyproject.toml. I want the latest compatible version of everything, as I do in our repo (don't think this is a rare use-case). Pip finds 6.19.0, while uv fails to find a recent compatible version and just keeps back-searching until it somehow resolves to a really old version. I guess I could set the expected pip solution of 6.19.0 as the lower bound? Then it should just fail? Just tried it, and guess what? It successfully installs the expected version. Seems like a bug somewhere. Why wouldn't uv just try the latest release of web3 first? Are there different levels of compatibility that it somehow dismisses 6.19.0 as less compatible than 3.16.3? dependencies = [
"eth-typing",
"numpy",
"streamlit",
"web3>=6.19.0"
]
# === PIP FREEZE (pip-24.0) ===
# aiohttp==3.9.5
# aiosignal==1.3.1
# altair==5.3.0
# async-timeout==4.0.3
# attrs==23.2.0
# bitarray==2.9.2
# blinker==1.8.2
# cachetools==5.3.3
# certifi==2024.6.2
# charset-normalizer==3.3.2
# ckzg==1.0.2
# click==8.0.4
# cytoolz==0.12.3
# eth-abi==5.1.0
# eth-account==0.11.2
# eth-hash==0.7.0
# eth-keyfile==0.8.1
# eth-keys==0.5.1
# eth-rlp==1.0.1
# eth-typing==4.3.1
# eth-utils==4.1.1
# frozenlist==1.4.1
# gitdb==4.0.11
# gitpython==3.1.43
# hexbytes==0.3.1
# idna==3.7
# importlib-metadata==7.1.0
# jinja2==3.1.4
# jsonschema==4.22.0
# jsonschema-specifications==2023.12.1
# lru-dict==1.2.0
# markupsafe==2.1.5
# multidict==6.0.5
# numpy==2.0.0
# packaging==24.1
# pandas==2.2.2
# parsimonious==0.10.0
# pillow==10.3.0
# -e file:///code/testrepo
# protobuf==5.27.1
# pyarrow==16.1.0
# pycryptodome==3.20.0
# pydeck==0.9.1
# pympler==1.0.1
# python-dateutil==2.9.0.post0
# pytz==2024.1
# pyunormalize==15.1.0
# referencing==0.35.1
# regex==2024.5.15
# requests==2.32.3
# rlp==4.0.1
# rpds-py==0.18.1
# semver==3.0.2
# six==1.16.0
# smmap==5.0.1
# streamlit==1.9.0
# toml==0.10.2
# toolz==0.12.1
# tornado==6.4.1
# typing-extensions==4.12.2
# tzdata==2024.1
# tzlocal==5.2
# urllib3==2.2.2
# validators==0.28.3
# watchdog==4.0.1
# web3==6.19.0
# websockets==12.0
# yarl==1.9.4
# zipp==3.19.2 |
That's usually the case because you've constrained the problem space of the resolver. If there isn't a lower bound on dependencies it is possible for the resolver to backtrack in an unexpected way due to transitive constraints added by other dependencies. The resolution we're producing is "valid" with the given constraints, just not expected or ideal. I'd highly recommend taking a look at the linked issues as there's a lot of detail about how the resolver can get in situations like this. |
To be clear, we want to improve the behavior of the resolver in cases like this but it's an open research problem what the best way to do so is. |
using
so it's the timeless problem of "should we have upper bounds" wherein we favor older versions that are sure to work versus ruling out compatibility with future versions that might work. EDIT: pip choose to backtrack through numpy, which scores a hole in one in this case
|
If the goal is to have behavior that’s closer to pip, we may be able to close this as a duplicate of #3149 which would give us more similar “requested order” behavior. In general though, if you’re seeing a resolution that gives you packages with lower versions that o you’d like, I still think the right solution is to add a lower bound. pip and uv could change heuristics at any time which could lead to a different resolution. If a resolution isn’t matching what you want, it makes sense to encode that in your constraints. |
I definitely learned more about dependency resolution. Seems like this is just a difference in approach. There's a fundamentally different approach to dependency resolution, if I understand it correctly:
Both are arbitrary, just in different ways. I think I'd prefer backtracking on "most recent version" across all chosen packages. That would consistently pick numpy in this example, irrespective of listed order. However that requires having access to release date, which I'm not sure is even in the metadata. As well, pip's approach of fetching all packages before backtracking makes more sense to me, so you could find the "most recent version" reliably, without impact from listed order. If My team is going to add lower bounds, and possibly upper bounds, going forward. So in practice that solves our problem. Feel free to close. |
It's a little more complicated than that for pip. Pip does indeed first do a breadth first search of the direct dependencies, check for the latest of each, but after that it does a depth first search of the transitive dependencies. For example, pip will have a very different behavior if instead of having these dependencies in a requirements.txt you put them as dependencies in a pyproject.toml and install that package, these will now be treated as transitive dependencies (as the only direct dependency is now the package) and pip will do a depth first search for them immediately. So there are many situations where pip can end up also installing really old versions of a package, and the advise is the same from pip, constrain your dependencies by adding reasonable lower bounds. |
Seems that's not the case as my tests above where all with pyproject.toml, unless something else is going on. I agree pip's approach is basically equally arbitrary, and not superior in general. They just seem to have a different way of parsing "requested order". |
Thanks for doing some investigation! We appreciate it. |
Well there is a big different between direct and transitive dependencies for pip, you will get "nicer" behavior when they are direct dependencies, such as pulled from a requirements.txt. I'm looking at ways to improve this, so pip can understanding if there is only 1 candidate for a package,to treat its dependencies as direct dependencies when resolving. But also you're right, the ordering of transitive requirements is different, also resolvelib (the resolution library for pip) has less situations where it has to exhaust all candidates of a particular requirement compared pubgrub-rs (the resolution library for uv). |
uv
worked fine until a recent update to one of these packages (not uv itself, saw the same on 0.19) caused it to go into dependency resolution hell.pip freeze
results forpip
anduv
for 4 different configurations.web3==6.19.0
which agrees withpip
but at the cost of removing dependencies.uv
I useuv venv .venv -p 3.10 && source .venv/bin/activate && uv pip install -e .
The text was updated successfully, but these errors were encountered: