Ability to override/ignore sub-dependencies

[zehauser]

• I have searched the issues of this repo and believe that this is not a duplicate.

(However, it is related to #436).

Issue

In the dark, old world of Python packaging, sub-dependencies are handled very poorly. If I recall correctly, pip will happily install a sub-dependency despite conflicting versions being specified by two direct dependencies... in fact I think which version it ends up installing depends on the order in requirements.txt. Yuck! Only very recently has it even started issuing a warning for cases like this.

In contrast, poetry does this right. It computes the entire dependency tree and will complain if there are conflicts anywhere in the tree.

But... many packages out there are not specifying their dependencies properly. Even if they are, there's always the possibility that their specified dependencies are a tighter range than they strictly need to be.

Is there a way to tell Poetry to force a specific version (or version) range of a dependency in cases like this — or in other words, to ignore a dependency specification of another dependency somewhere in the tree? If not, should there be?

[swarmer]

+1
Looks like this can be enough of a problem to make poetry unusable for many non-library projects, so this is quite important.

[zehauser]

@sdispater You must be super busy, but what are your initial thoughts on this?

[sdispater]

I don't think this is desirable. This would require a lot of work and add complexity to the resolver - which is already complex due to the Python specific ecosystem - because of some packages specifying their dependencies poorly. I don't want Poetry to have to make up for a lack of proper tools or proper specifications, there is already a lot of work to be done as it is.

This is the job of each package's maintainers to ensure their dependencies are correct and loose enough to not create conflict.

If we ever want to have an ecosystem similar to what other languages already have, we have to draw the line somewhere and enforce everyone to contribute to the common goal. Poetry helps with that by making it easier to build and manages Python projects.

[danielkza]

@sdispater While you are completely correct in principle, in reality there are cases where not being able to perform overrides means being completely unable to install some packages, specially when multiple projects specify conflicting version constraints.

Waiting for the whole ecosystem to improve will take years, and in the meanwhile Poetry is unusable in some cases, which is a shame considering it brings lots of improvements in other areas.

As a practical example, awscli requires a particular version range colorama while docker-compose requires another. That makes it completely impossible to install both simultaneously, and neither of the projects are willing to make a change. But in practice both programs work correctly (since I've been using them in the same venv for years).

Even other package managers that work with more "well-behaved" ecosystems allow overrides e.g. Maven, SBT and others in Java world.

[fsworld009]

Would also like to have this option, especially as of now there are packages cannot be installed because poetry fails to parse their setup.py, like #904.

[drunkwcodes]

Uncompromising claim is good to formalize the package versioning.

But the conflicts are existing for sure. And packages are ofter more useful than it claims.
An error mitigation strategy is a must.

I think it's good to have a export option to write those conflicts in a requirements.txt.
And we can review & edit them like dealing a merge conflict.

So the work flow will be like:

1. poetry export --ignore-conflicts
2. Resolve conflicts in requirements.txt.
3. pip install -r requirements.txt

This can be a plug-in if necessary. Maybe related to #558 #663 & #955.

[RXminuS]

I've ran into exactly the same issue as @danielkza. But I don't think we need to make it that complicated, if you could just tell poetry to completely ignore the dependencies specified by a package then you can always just specify your own.

Also at the moment, it can take a really long time for poetry install to try every combination of dependencies, there must be a better way than iterating down the version numbers?

[floer32]

I am sympathetic to the points about having some way to override or accelerate or skip resolution on an opt-in basis, but also always want to avoid making compromises to the "real, thorough" way of doing a task like this for the sake of proactively optimizing some efficient way...

Explicit control seems best... So you can do real/thorough at maintenance times, in master CI/CD or base docker/VM image baking, etc etc, then more efficient when there has not been a change in the reqs. (And that 'has there been a change?' part is well-solved by things like git-checks and/or docker image caching, and I do think it's best to keep that burden on those tools, and really avoid complicating concepts of cache,state, or history in Poetry itself.)

---

I like @drunkwcodes 's workflow suggestion, and agree that #558 seems related. It really seems there is another subcommand or workflow waiting to be fleshed out...

As @drunkwcodes says maybe it could be a plugin. Personally I am fine "dropping down" to pip for these cases, and then continuing to rely on Poetry as the "master" and what I rely on for longevity and maintenance.

[floer32]

brainstorming what this new subcommand or plugin may look like

This more-locked installation should probably be tied in with wheels (re: #558). It may even directly involve using pip to keep things explicit (kinda relates to #1012), but just have more known-good ways to handle in the poetry commands or flags.

two related/compatible use-cases

(a) poetry -> reqs, per @drunkwcodes example, and helps address #697

poetry export --ignore-conflicts
# [as needed] "Resolve conflicts in requirements.txt" - manually, or interactive prompt option? 
pip install -r requirements.txt

(b) reqs -> wheels -> install-with-pip

... installing with pip doesn't necessarily conflict with Poetry, you can do the pip-install-from-wheels / with-whatever-options, then call poetry install and it will do almost nothing if things look good, otherwise it'll install just the little bit of drift.

... seems to help address #558, and by directly exposing pip may make sense for cases like #1012

poetry export --ignore-conflicts 
# [as needed] "Resolve conflicts in requirements.txt"  - manually, or interactive prompt option? 
pip wheel -r requirements.txt  # assumption: you've set PIP_WHEEL_DIR
pip install --find-links "file://$PIP_WHEEL_DIR" -r requirements.txt

imagining new options to bring things together

implicit in example below: poetry export should take an argument for what its output is named (currently it is hardcoded to requirements.txt, it should take a filename or allow stdout output (convention being -))

intermediate idea 1

pip wheel -r <( poetry export --ignore-conflicts --output - )  # pip respects PIP_WHEEL_DIR or --wheel-dir, see pip docs
poetry install --find-links="file://$PIP_WHEEL_DIR"  # ..? does it need reqs again?

intermediate idea 2 - seems clean to me, but could be disagreeable to some

poetry export --ignore-conflicts --fetch-wheels --wheel-output=./wheelhouse --output=poetry.wheelhouse.lock
poetry install --find-links=./wheelhouse --extra-lock=./poetry.wheelhouse.lock

the idea in that second one being, in the event of a conflict, poetry would fall back to the --extra-lock file that was given. Or maybe call it --extra-constraints and .txt instead of .lock, if it seems like concepts are getting blurry.

intermediate idea 3 - does require one pip call, but very explicit?

If that's too weird, this is a fairly clean compromise:

poetry export --ignore-conflicts --wheel-output=./wheelhouse --output=poetry.wheelhouse.txt
pip install --find-links "file://./wheelhouse" -r poetry.wheelhouse.txt
poetry install --find-links=./wheelhouse

... in that last idea, poetry install is not even paying attention to poetry.wheelhouse.txt (which is just a requirements.txt, just trying to name it so its origin and usage context are clear). it's using its own pyproject.toml/poetry.lock, only, in that one; but it would prefer the wheelhouse before using PyPI.

poetry install would just happen to ignore already-installed cases and not hit conflicts, based on that pip install step.

(I also omitted --fetch-wheels because maybe that can just be implicit from the --wheel-output flag being present.)

interactive conflict resolution?

In those three examples I was trying to suggest ways that the intermediate manual step of hand-resolving conflicts, could be skipped, yet still having determinate results (if one checks the export'd artifact into VCS.

There could still be cases where something like,

poetry export --interactive-conflicts

and/or

poetry lock --interactive-conflicts

could be relevant; with prompts asking what choice is preferred. Since they are supervised maintenance tasks they could be interactive ...

p.s. pip flags in general

Also there still seems to be a general need to allow most/all pip options/env-vars/flags to be controlled from Poetry config and/or CLI. Will help a number of use cases.

[drunkwcodes]

I think the command can even be renamed to poetry resolve, which only outputs conflict warnings or errors by default, and has -o, -v, --tree options. Since somtimes we need the dependency resolution result but not to export.

• -o option is same as poetry export -f
• -v option means verbose and shows debug messages of the resolver.
• --tree option will lists dependency graphics in terminal.

P.S Reply to interactive mode:

interactive conflict resolution?

In those three examples I was trying to suggest ways that the intermediate manual step of hand-resolving conflicts, could be skipped, yet still having determinate results (if one checks the export'd artifact into VCS.

Spawn a process to open text editor like vi[m], emacs, nano etc. right after file generation sounds adequate.

[floer32]

That sounds really great. Less steps the better and your suggestion coheres very well with the existing functionality and the intentions we are discussing.

[epage]

So the use cases we've been running into with proper dependency resolution: packages we get value out of that have low activity or are unmaintained that happen to work with newer versions of dependencies. This is much worse than in Rust because Rust supports multiple versions of a dependency existing in your dependency graph. Here, we need one compatible version through the entire graph.

The proposed solution for this seems to rely on manually resolving the conflcit on every upgrade. This seems tedious for a process (poetry update) that we should be able to automate (i.e. via Dependabot). Personally, my preference would be for the override to be recorded in the pyproject.toml file so it can be a persistent input to the process. For example, we could have a table of patches to the dependency graph that override the version constraint.