Update python dependencies (or relax constraints)?

[johanneskastl]

When trying to package this, I came across the version constraints for the dependencies:

https://github.com/Nitrokey/pynitrokey/blob/master/pyproject.toml#L22

• python-dateutil 2.8.0 is from 5. Feb 2019, the constraint is for ~= 2.7.0
• cryptography 37 is from 26. Apr 2022, 40 is the current release (constraint is <37)
• protobuf 4.21.1 is from May 2022, the constraint is for >=3.17.3, < 4.0.0
• spsdk 1.8.0 is from October 2022, the constraint is for <1.8.0
• typing_extensions 4.4.0 is from October 2022
• urllib3 reached 2.0.x recently (1.26.15 is from March, so that is not that old)
• (certifi 14.05.14 is from 2014, not sure if anyone tested with such an old version)

Is there any reason for staying with older releases (other than time constraints that every project suffers from)?

Not sure if the tests are catching errors that might come from newer versions of the dependencies (and I know this is hard to guess up front).

[szszszsz]

Hey! Thank you for checking that.
Updating crypto and spsdk is WIP here: #364
About others, I have not noticed this before. We can certainly try them while working on, or in the next step of #364.

[johanneskastl]

Thanks for the fast reply. Nice to see that someone is already working on parts of it. I'll subscribe to #364 and watch the developments.

[drzraf]

Of particular annoyance by today's usual versions:

• protobuf<4.0.0,>=3.17.3
• python-dateutil~=2.7.0
• typing_extensions~=4.3.0

see also: #404

[robin-nitrokey]

I don’t see the issue with protobuf. We depend on "^5.26" via nitrokey-sdk-py, 5.29 is the latest version.

Pinning the minor version for python-dateutil and typing-extensions is indeed unnecessary. I’ll change it to the major version.

[robin-nitrokey]

We don’t even need the two anymore – removed in #591. AFAIS all constraints mentioned in this issue have been removed or relaxed, so I’m closing it. Please open separate issues or PRs if you want to update other dependencies.