Open
Conversation
This is considered best practice and its lack is flagged by the Dockerfile linter.
Another good practice to follow is to update `pip` itself.
Contourpy is a transitive dependency. Version 1.3.3 needs Python 3.11. Something is bringing in version 1.3.3 even if I declare this package as unsafe at `pip-compile` time using the `--unsafe-package` argument. So far the only solution I've found is to put a version contraint in our requirements input file.
The package backports.asyncio.runner is a transitive dependency that should only be installed for Python < 3.11. It doesn't need to be in the requirements files we produce, and conversely, letting `pip-compile` include it leads to installation failures with some Python versions. We can tell `pip-compile` to omit it and this solves the problem.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
pavoljuhas
reviewed
Feb 24, 2026
|
|
||
| sympy | ||
|
|
||
| # Transitive dependency. Versions 1.3.3+ require Python 11. Constraining it |
pavoljuhas
reviewed
Feb 24, 2026
Comment on lines
+138
to
+139
| pip==26.0.1 | ||
| # via pip-tools |
Contributor
There was a problem hiding this comment.
This pip specification should be omitted. It is likely coming from the --unsafe-packageoption in run-pip-compiles.py which perpip-compile --help` replaces the default (distribute, pip, setuptools) packages.
pavoljuhas
reviewed
Feb 24, 2026
Comment on lines
+106
to
+107
| "--unsafe-package", | ||
| "backports.asyncio.runner", |
Contributor
There was a problem hiding this comment.
This introduces pip to the generated requirements. Is this truly needed?
uv pip compile --universal --python-version=3.10 deps/format.txt ...
seems to be able to resolve the dependencies with this version guard:
backports-asyncio-runner==1.2.0 ; python_full_version < '3.11'
pavoljuhas
requested changes
Feb 24, 2026
Contributor
pavoljuhas
left a comment
pavoljuhas
left a comment
There was a problem hiding this comment.
I think we should avoid pinning to a specific pip version; this seems to be a side effect of using the --unsafe-package option.
Can we avoid using that option? uv pip compile seems to be able to condition backports.asyncio.runner by Python version.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates some dependencies as well as the scripts used to produce the various environment files, and updates the environment files themselves.
dev_tools/requirements/deps/runtime.txtneeds to set some constraints on versions of some dependencies because higher versions of those dependencies require Python 3.11, which is incompatible with our goal of maintaining Python 3.10 compatibility (for now)dev_tools/requirements/re-pip-compile-in-docker.shneeded an addition to prevent it including a certain Python package that is incompatible with Python 3.11+dev_tools/requirements/Dockerfiledidn't do apip update -U pip, but should; while at it, I added some options to pip to silence irrelevant warnings so that the logs are less noisyNote to reviewers: all of the
.txtrequirements files underdev_tools/requirements/envs/anddev_tools/requirements/max_compat/are solely the output of runningdev_tools/requirements/re-pip-compile-in-docker.sh.