-
Notifications
You must be signed in to change notification settings - Fork 199
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ENH: Allow newer version of dependencies #1748
ENH: Allow newer version of dependencies #1748
Conversation
09d26ef
to
0444b17
Compare
cc: @diazandr3s I have run into various python package version conflicts (due to too strict pinning) when building MonaiLabel Slicer extension into one of my Slicer custom applications. This is the motivation for this change. |
@tangy5 Would you be able to provide review for this work? |
Changing to >= is not recommended for dependency packages. For example tonight it might work one user and tomorrow the same PIP version of monailabel can become unstable for another user. May not even get installed or as issues as one of the dependent versions get upgraded. also we can't track any changes in the license type between old and new dependent versions. If you are looking for updating any dependent packages, please update them to the next best version. Also please get it tested/verified via 3D slicer or ohif viewer for certain e2e usecase. |
Also Note.. due to old setup.cfg way of building the pip package, the dependencies for the monailabel pip package is actually pulled from https://github.com/Project-MONAI/MONAILabel/blob/main/setup.cfg#L37 requirements.txt is for development env or for setting up docker dependencies. |
Thanks @SachidanandAlle for pointing to https://github.com/Project-MONAI/MONAILabel/blob/main/setup.cfg#L37.
Major python packages with dependencies do not subscribe to this technique of hard pinning to a specific version. Upper bounds for known breaking behavior or exceptions for known failures are added, but not the strict behavior of pinning to a specific version. For a developer doing research on tasks, they can definitely subscribe to a pip freeze type development to use the exact versions of all dependencies, but this should not be managed as such at the python package level. |
Today, there are 2 types of distributions for monailabel.
When we stop 2nd option then I do recommend the >= option for dependent packages. Because docker has the state that is verified/tested and remains constant. I do understand that major python packages do not subscribe this hard pinning. |
For clarity why is it today that Line 38 in b85d6b1
Lines 69 to 71 in b85d6b1
|
very good question. monai expects someone to use it as a dependent package to create some product/solution. and on regarding scikit-learn and scipy not having version, i would suggest team to get it fixed. if they are getting pulled from other dependent chain, then just remove it as direct dependency. i will consider it as a bug to be fixed. i hope that answers your question. |
I think fundamentally the difference is that I've been considering @lassoan Do you have thoughts you can provide here about the hard pinning of dependencies which can collide with 3D Slicer dependencies leading to unnecessary install/uninstall events of packages? |
One thing to consider in the case of Line 30 in b85d6b1
This is because scipy dropped support for Python 3.8 starting with v1.11.0 . The older scipy v1.10.x only has whl files for Python 3.8-3.11 (https://pypi.org/project/scipy/1.10.1/#files) and then scipy v1.14.0 dropped support for Python 3.9.
|
I have the exact same thoughts as @jamesobutler. Only applications are aware of all the end-user goals and all the required tools, libraries, and environment, so only applications can define exact library versions. Libraries should be as permissive as possible with their requirements to make it feasible to build applications. I understand that It requires extra effort from library developers to be compatible with a range of versions of many dependent libraries, but this is necessary, otherwise developers would not be able to embed/customize/extend the software for their application. |
0444b17
to
436102c
Compare
Pinning basic packages such as "requests" to a specific patch level release such "2.31.0" is too strict. New releases and especially new patch releases allow to use latest security updates of various packages. Signed-off-by: James Butler <james.butler@revvity.com>
436102c
to
238e7b4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lets merge this for now.
Lets track any issues related to installation from customers. in that case we can revert this PR if needed.
Pinning basic packages such as "requests" to a specific patch level release such "2.31.0" is too strict. New releases and especially new patch releases allow to use latest security updates of various packages. Signed-off-by: James Butler <james.butler@revvity.com> Co-authored-by: SACHIDANAND ALLE <sachidanand.alle@gmail.com> Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>
* fix ignite-info issue Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * update monai version Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * revert version change Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * temp fix Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * minor fix Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * minor fix Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * update to 3.9 and drop 3.8 Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * [pre-commit.ci] pre-commit autoupdate (#1716) updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0) - [github.com/psf/black: 24.3.0 → 24.4.2](psf/black@24.3.0...24.4.2) - [github.com/psf/black: 24.3.0 → 24.4.2](psf/black@24.3.0...24.4.2) - [github.com/PyCQA/flake8: 7.0.0 → 7.1.0](PyCQA/flake8@7.0.0...7.1.0) - [github.com/pre-commit/mirrors-mypy: v1.9.0 → v1.10.1](pre-commit/mirrors-mypy@v1.9.0...v1.10.1) - [github.com/asottile/pyupgrade: v3.15.2 → v3.16.0](asottile/pyupgrade@v3.15.2...v3.16.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: SACHIDANAND ALLE <sachidanand.alle@gmail.com> Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * Bump urllib3 from 2.2.1 to 2.2.2 (#1753) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.1 to 2.2.2. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.2.1...2.2.2) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * Bump requests from 2.31.0 to 2.32.2 (#1754) Bumps [requests](https://github.com/psf/requests) from 2.31.0 to 2.32.2. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.31.0...v2.32.2) --- updated-dependencies: - dependency-name: requests dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * ENH: Allow newer version of dependencies (#1748) Pinning basic packages such as "requests" to a specific patch level release such "2.31.0" is too strict. New releases and especially new patch releases allow to use latest security updates of various packages. Signed-off-by: James Butler <james.butler@revvity.com> Co-authored-by: SACHIDANAND ALLE <sachidanand.alle@gmail.com> Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * Release 0.8.4 checks and updates (#1757) * Release 0.8.4 checks and updates Signed-off-by: tangy5 <yuchengt@nvidia.com> * Trigger monai container update Signed-off-by: tangy5 <yuchengt@nvidia.com> * Drop python 3.8 Signed-off-by: tangy5 <yuchengt@nvidia.com> * Drop python 3.8 Signed-off-by: tangy5 <yuchengt@nvidia.com> --------- Signed-off-by: tangy5 <yuchengt@nvidia.com> Co-authored-by: tangy5 <yuchengt@nvidia.com> Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * Add MITK as supported platform (#1759) Signed-off-by: Ashis Ravindran <ashis.ravindran@dkfz-heidelberg.de> Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * Add MITK to installation docs (#1761) * Add MITK as supported platform Signed-off-by: Ashis Ravindran <ashis.ravindran@dkfz-heidelberg.de> * Update link to MONAI Label repo Signed-off-by: Ashis Ravindran <ashis.ravindran@dkfz-heidelberg.de> * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Signed-off-by: Ashis Ravindran <ashis.ravindran@dkfz-heidelberg.de> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * fix(mode): no need to initialize toolbar service (#1763) Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * BUG: Fix traceback in restored transform (#1766) Using transforms from MONAI and MONAILabel can result in metadata containing torch.tensors and torch.Sizes. This change fixes a traceback in the restored transform resulting from an incompatibility between torch datatypes and numpy.any(). Signed-off-by: Thomas Kierski <thomas.kierski@revvity.com> Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * Revert "update to 3.9 and drop 3.8" This reverts commit 8ced475. Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * revert Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * revert Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> * revert Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> --------- Signed-off-by: YunLiu <55491388+KumoLiu@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: James Butler <james.butler@revvity.com> Signed-off-by: tangy5 <yuchengt@nvidia.com> Signed-off-by: Ashis Ravindran <ashis.ravindran@dkfz-heidelberg.de> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: SACHIDANAND ALLE <sachidanand.alle@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: James Butler <jamesobutler@users.noreply.github.com> Co-authored-by: tangy5 <58751975+tangy5@users.noreply.github.com> Co-authored-by: tangy5 <yuchengt@nvidia.com> Co-authored-by: Ashis Ravindran <33703127+ASHISRAVINDRAN@users.noreply.github.com> Co-authored-by: Alireza <ar.sedghi@gmail.com> Co-authored-by: Thomas Kierski <54414492+ThomasKierski@users.noreply.github.com>
Pinning basic packages such as "requests" to a specific patch level release such "2.31.0" is too strict. New releases and especially new patch releases allow to use latest security updates of various packages.