Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ENH: Allow newer version of dependencies #1748

Merged

Conversation

jamesobutler
Copy link
Contributor

Pinning basic packages such as "requests" to a specific patch level release such "2.31.0" is too strict. New releases and especially new patch releases allow to use latest security updates of various packages.

@jamesobutler jamesobutler force-pushed the remove-strict-pin-dependencies branch from 09d26ef to 0444b17 Compare October 4, 2024 17:13
@jamesobutler
Copy link
Contributor Author

cc: @diazandr3s I have run into various python package version conflicts (due to too strict pinning) when building MonaiLabel Slicer extension into one of my Slicer custom applications. This is the motivation for this change.

@jamesobutler
Copy link
Contributor Author

@tangy5 Would you be able to provide review for this work?

@SachidanandAlle
Copy link
Collaborator

SachidanandAlle commented Oct 7, 2024

Changing to >= is not recommended for dependency packages.

For example tonight it might work one user and tomorrow the same PIP version of monailabel can become unstable for another user. May not even get installed or as issues as one of the dependent versions get upgraded. also we can't track any changes in the license type between old and new dependent versions.

If you are looking for updating any dependent packages, please update them to the next best version.
And each such update needs to make sure all the test cases pass and all the apps (radiology, pathology etc..) works well for both inference, training etc over min monai bundles/models.

Also please get it tested/verified via 3D slicer or ohif viewer for certain e2e usecase.

@SachidanandAlle
Copy link
Collaborator

SachidanandAlle commented Oct 7, 2024

Also Note..

due to old setup.cfg way of building the pip package, the dependencies for the monailabel pip package is actually pulled from https://github.com/Project-MONAI/MONAILabel/blob/main/setup.cfg#L37

requirements.txt is for development env or for setting up docker dependencies.

@jamesobutler
Copy link
Contributor Author

Thanks @SachidanandAlle for pointing to https://github.com/Project-MONAI/MONAILabel/blob/main/setup.cfg#L37.

For example tonight it might work one user and tomorrow the same PIP version of monailabel can become unstable for another user. May not even get installed or as issues as one of the dependent versions get upgraded. also we can't track any changes in the license type between old and new dependent versions.

Major python packages with dependencies do not subscribe to this technique of hard pinning to a specific version. Upper bounds for known breaking behavior or exceptions for known failures are added, but not the strict behavior of pinning to a specific version. For a developer doing research on tasks, they can definitely subscribe to a pip freeze type development to use the exact versions of all dependencies, but this should not be managed as such at the python package level.

@SachidanandAlle
Copy link
Collaborator

Today, there are 2 types of distributions for monailabel.

  1. Docker
  2. PIP Package

When we stop 2nd option then I do recommend the >= option for dependent packages. Because docker has the state that is verified/tested and remains constant.

I do understand that major python packages do not subscribe this hard pinning.
But for monailabel we want to guarantee what worked yesterday (or on the day of release tag), will work today. We are not expecting monailabel to support getting along with other packages in the same venv.

@jamesobutler
Copy link
Contributor Author

jamesobutler commented Oct 7, 2024

But for monailabel we want to guarantee what worked yesterday (or on the day of release tag), will work today.

For clarity why is it today that monai core (specified as a dependency of monailabel) does not have a hardened pin?

monai[nibabel, skimage, pillow, tensorboard, gdown, ignite, torchvision, itk, tqdm, lmdb, psutil, openslide, fire, mlflow]>=1.3.1

monai core itself does not specify a hard pin for packages such as numpy, torch, etc per https://github.com/Project-MONAI/MONAI/blob/1.3.2/setup.cfg#L43-L45. Additionally scipy and scikit-learn have no hard pin, but urllib3 does. There appears to be an inconsistency in approach here where it should have no bounds specified or at least minimum bounds based on known compatibility purposes.

MONAILabel/setup.cfg

Lines 69 to 71 in b85d6b1

urllib3==2.2.1
scikit-learn
scipy

@SachidanandAlle
Copy link
Collaborator

SachidanandAlle commented Oct 7, 2024

very good question.
there is a tiny difference between monai and monai label. library vs final solution.

monai expects someone to use it as a dependent package to create some product/solution.
monailabel expects itself to be the end product/solution.

and on regarding scikit-learn and scipy not having version, i would suggest team to get it fixed. if they are getting pulled from other dependent chain, then just remove it as direct dependency. i will consider it as a bug to be fixed.

i hope that answers your question.

@jamesobutler
Copy link
Contributor Author

I think fundamentally the difference is that I've been considering monailabel to be a python library used in my end-application of choice and that monailabel itself is not a hardened product.

@lassoan Do you have thoughts you can provide here about the hard pinning of dependencies which can collide with 3D Slicer dependencies leading to unnecessary install/uninstall events of packages?

@jamesobutler
Copy link
Contributor Author

and on regarding scikit-learn and scipy not having version, i would suggest team to get it fixed. if they are getting pulled from other dependent chain, then just remove it as direct dependency. i will consider it as a bug to be fixed.

One thing to consider in the case of scipy is that there is no single version of scipy that is compatible with the current specification where monailabel specifies it works for python >=3.8. There is not a single version of scipy to support all stables releases of Python >=3.8 which include 3.8.x, 3.9.x, 3.10.x, 3.11.x, 3.12.x and 3.13.x. You would have to at minimum specify a hardened version of scipy specific to various python versions.

python_requires = >= 3.8

This is because scipy dropped support for Python 3.8 starting with v1.11.0. The older scipy v1.10.x only has whl files for Python 3.8-3.11 (https://pypi.org/project/scipy/1.10.1/#files) and then scipy v1.14.0 dropped support for Python 3.9.

@lassoan
Copy link
Collaborator

lassoan commented Oct 7, 2024

I have the exact same thoughts as @jamesobutler. Only applications are aware of all the end-user goals and all the required tools, libraries, and environment, so only applications can define exact library versions. Libraries should be as permissive as possible with their requirements to make it feasible to build applications.

I understand that It requires extra effort from library developers to be compatible with a range of versions of many dependent libraries, but this is necessary, otherwise developers would not be able to embed/customize/extend the software for their application.

@jamesobutler jamesobutler force-pushed the remove-strict-pin-dependencies branch from 0444b17 to 436102c Compare October 7, 2024 21:02
Pinning basic packages such as "requests" to a specific patch level release such "2.31.0" is too strict. New releases and especially new patch releases allow to use latest security updates of various packages.

Signed-off-by: James Butler <james.butler@revvity.com>
@jamesobutler jamesobutler force-pushed the remove-strict-pin-dependencies branch from 436102c to 238e7b4 Compare October 14, 2024 17:45
Copy link
Collaborator

@SachidanandAlle SachidanandAlle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets merge this for now.
Lets track any issues related to installation from customers. in that case we can revert this PR if needed.

@SachidanandAlle SachidanandAlle enabled auto-merge (squash) October 14, 2024 18:08
@SachidanandAlle SachidanandAlle merged commit 6535453 into Project-MONAI:main Oct 14, 2024
24 checks passed
@jamesobutler jamesobutler deleted the remove-strict-pin-dependencies branch October 14, 2024 18:25
KumoLiu pushed a commit that referenced this pull request Oct 29, 2024
Pinning basic packages such as "requests" to a specific patch level release such "2.31.0" is too strict. New releases and especially new patch releases allow to use latest security updates of various packages.

Signed-off-by: James Butler <james.butler@revvity.com>
Co-authored-by: SACHIDANAND ALLE <sachidanand.alle@gmail.com>
Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>
SachidanandAlle added a commit that referenced this pull request Nov 21, 2024
* fix ignite-info issue

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* update monai version

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* revert version change

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* temp fix

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* minor fix

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* minor fix

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* update to 3.9 and drop 3.8

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* [pre-commit.ci] pre-commit autoupdate (#1716)

updates:
- [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0)
- [github.com/psf/black: 24.3.0 → 24.4.2](psf/black@24.3.0...24.4.2)
- [github.com/psf/black: 24.3.0 → 24.4.2](psf/black@24.3.0...24.4.2)
- [github.com/PyCQA/flake8: 7.0.0 → 7.1.0](PyCQA/flake8@7.0.0...7.1.0)
- [github.com/pre-commit/mirrors-mypy: v1.9.0 → v1.10.1](pre-commit/mirrors-mypy@v1.9.0...v1.10.1)
- [github.com/asottile/pyupgrade: v3.15.2 → v3.16.0](asottile/pyupgrade@v3.15.2...v3.16.0)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: SACHIDANAND ALLE <sachidanand.alle@gmail.com>
Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* Bump urllib3 from 2.2.1 to 2.2.2 (#1753)

Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.1 to 2.2.2.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.2.1...2.2.2)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* Bump requests from 2.31.0 to 2.32.2 (#1754)

Bumps [requests](https://github.com/psf/requests) from 2.31.0 to 2.32.2.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.31.0...v2.32.2)

---
updated-dependencies:
- dependency-name: requests
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* ENH: Allow newer version of dependencies (#1748)

Pinning basic packages such as "requests" to a specific patch level release such "2.31.0" is too strict. New releases and especially new patch releases allow to use latest security updates of various packages.

Signed-off-by: James Butler <james.butler@revvity.com>
Co-authored-by: SACHIDANAND ALLE <sachidanand.alle@gmail.com>
Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* Release 0.8.4 checks and updates (#1757)

* Release 0.8.4 checks and updates

Signed-off-by: tangy5 <yuchengt@nvidia.com>

* Trigger monai container update

Signed-off-by: tangy5 <yuchengt@nvidia.com>

* Drop python 3.8

Signed-off-by: tangy5 <yuchengt@nvidia.com>

* Drop python 3.8

Signed-off-by: tangy5 <yuchengt@nvidia.com>

---------

Signed-off-by: tangy5 <yuchengt@nvidia.com>
Co-authored-by: tangy5 <yuchengt@nvidia.com>
Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* Add MITK as supported platform (#1759)

Signed-off-by: Ashis Ravindran <ashis.ravindran@dkfz-heidelberg.de>
Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* Add MITK to installation docs (#1761)

* Add MITK as supported platform

Signed-off-by: Ashis Ravindran <ashis.ravindran@dkfz-heidelberg.de>

* Update link to MONAI Label repo

Signed-off-by: Ashis Ravindran <ashis.ravindran@dkfz-heidelberg.de>

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

---------

Signed-off-by: Ashis Ravindran <ashis.ravindran@dkfz-heidelberg.de>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* fix(mode): no need to initialize toolbar service (#1763)

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* BUG: Fix traceback in restored transform (#1766)

Using transforms from MONAI and MONAILabel can result in metadata containing torch.tensors and torch.Sizes. This change fixes a traceback in the restored transform resulting from an incompatibility between torch datatypes and numpy.any().
Signed-off-by: Thomas Kierski <thomas.kierski@revvity.com>
Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* Revert "update to 3.9 and drop 3.8"

This reverts commit 8ced475.

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* revert

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* revert

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

* revert

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>

---------

Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: James Butler <james.butler@revvity.com>
Signed-off-by: tangy5 <yuchengt@nvidia.com>
Signed-off-by: Ashis Ravindran <ashis.ravindran@dkfz-heidelberg.de>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: SACHIDANAND ALLE <sachidanand.alle@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Butler <jamesobutler@users.noreply.github.com>
Co-authored-by: tangy5 <58751975+tangy5@users.noreply.github.com>
Co-authored-by: tangy5 <yuchengt@nvidia.com>
Co-authored-by: Ashis Ravindran <33703127+ASHISRAVINDRAN@users.noreply.github.com>
Co-authored-by: Alireza <ar.sedghi@gmail.com>
Co-authored-by: Thomas Kierski <54414492+ThomasKierski@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants