Skip to content

Further constrain dependency versions in setup.py and requirements.txt #934

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mhucka wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Further constrain dependency versions in setup.py and requirements.txt #934

mhucka wants to merge 7 commits into from
+68 −16

Conversation

@mhucka
Copy link
Member

@mhucka mhucka commented Dec 11, 2025
edited
Loading

This PR addresses three needs with respect to dependency management and updates both setup.py and requirements.txt to add some constraints on a few dependencies in order to make installations trouble-free.

  • In some environments, we need to constrain the versions of certain Python packages required to pip-install TFQ in order to avoid pip dependency resolution errors. The two problems that I'm seeing on Linux and Colab are (a) pip may try to install a version of the dependency that requires a higher version of Python than what the user is running, an (b) pip tries to install or build NumPy 2 because some dependency version constraints NumPy to be >2. To deal with this, this PR adds a few additional version constraints to setup.py for packages that end up needing to be installed when installing TFQ. These additions to setup.py are the minimum version constraints that produced error-free installations in my testing.

  • Similar dependency version constraints need to be specified for developers installing dependencies using requirements.txt. However, a better approach for requirements.txt is to use a minimal requirements.in file in combination with pip-compile to write the final requirements.txt. The resulting requirements.txt file leads to more predictable build & test environments.

  • A shortcoming of generating requirements.txt with version pins is that the versions of some transitive dependencies may need to be updated to address security releases. Simply re-running pip-compile to produce a new requirements.txt may not update the versions because the dependencies that bring in the transitive dependencies have not themselves changed. The recommended practice for this situation is to put the version constraints into a separate constraint file and pass it as an argument to pip-compile. (pip-compile has explicit support for this.) Some additions to the script scripts/generate_requirements.sh encapsulate and document this process.

@mhucka
Add support for a requirements constraint file
6b8f41c 
Some of the TFQ transitive dependencies have recently gotten Dependabot
alerts to be updated for some security flaws. However running
pip-compile again does not end up updating those dependencies. It seems
that the recommended way to handle this is to use a constraint file.

This updates `./scripts/generate_requirements.sh` to invoke pip-compile
with a constraint file.

It also tells pip-compile to write the name of this script into the
header of the requirements.txt file it generates.
@mhucka
Add requirements-pins.txt
f26f506 
This increases the versions of a few transitive dependencies so that
pip-compile generates higher versions in the requirements.txt, as a way
of addressing some security warnings in the dependencies.
@mhucka
Regenerate requirementst.txt
966f8c2 
Latest version from running `./scripts/generate_requirements.sh`.
@mhucka mhucka marked this pull request as ready for review December 11, 2025 20:35
@mhucka
Minor refactoring
c16613f 
Use an array variable for the constraint argument, as a way of both
keeping with better practices and using the same style for all command
argument variables in this script.
@mhucka
Minor comment clarification
9c986a0
samanoelton
samanoelton approved these changes Dec 12, 2025
View reviewed changes
Copy link

@samanoelton samanoelton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mhucka mhucka changed the title Add support for a requirements constraint file Further constrain dependency versions Dec 13, 2025
@mhucka
Further update some versions
89e3a02 
Testing on the production version of Colab ran into some more version
issues, such as packages whose installation led to pip trying to install
NumPy 2.x instead of 1.x. This adds a few more version constraints.
@mhucka
Don't bother with a -h flag
a47b5f1
@mhucka mhucka changed the title Further constrain dependency versions Further constrain dependency versions in setup.py and requirements.txt Dec 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MichaelBroughton MichaelBroughton Awaiting requested review from MichaelBroughton

1 more reviewer

@samanoelton samanoelton samanoelton approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mhucka @samanoelton