Comments (10)
To follow up, this was resolved in today's release (botocore 1.34.63) with #3141. Users on Python 3.10+ should be free to control their urllib3 2.x requirements going forward.
from botocore.
Hi everyone, just to reiterate what was discussed in the original issue since it was left out of the description. Botocore cannot support urllib3 2.0 on Python <3.10, this is covered in the urllib3 docs as well. There are no plans currently to change that as it would result in broad impact for AWS customers until they manually pin themselves.
For Python 3.10+, urllib3 2.2.0 had breaking changes that were impacting botocore until the most recent release on Saturday (Feb 17). We're currently reviewing the latest version to confirm there are no other subtle breakages and will update this ticket once we have a clear path to moving the pin. Thanks for your patience!
from botocore.
Can't you just vendor urllib3?
The short answer is no. We already vendored urllib3 for years (botocore>=1.0.0,<=1.12.253
) before ultimately removing it from botocore and similarly, was removed from Requests. The primary downsides are size and longevity of releases. Once there's a vulnerability in urllib3, every version of botocore with an older vendored copy becomes either an active security risk or wasted space on PyPI. Keeping the two projects separated allows for more flexibility in choices, as well as not requiring us to make a release for customers to patch their systems.
The other major issue is the size of botocore. While already large, adding vendored dependencies further increases overall size and create problems when packaged for Lambda. The downsides of vendoring outweigh the majority of the benefits which we already have empirical data on. While it's unfortunate we may not have same day parity with new releases, the trade off is stability at the expense of a moderate delay.
from botocore.
Can't you just vendor urllib3?
from botocore.
Thanks for the feedback, @robd003. To make sure we're on the same page, all versions of urllib3 we support are actively maintained, stable releases. urllib3 1.x is still receiving updates and we're currently ~3 weeks behind on the first stable release of urllib3 for 2.x beyond what we currently support.
Major versioning botocore would make this packaging problem considerably worse. Anyone using the AWSCLI, PynamoDB, Boto3, aiobotocore, or s3fs in conjunction would start breaking with a new major version and you'd still have a urllib3 pin somewhere in that set. We'd also be detracting time from fixing this issue in the current major version of botocore by having to maintain multiple variants of this package. There's no tangible benefit to the end user in that setup.
Thanks for your continued patience while this is addressed.
from botocore.
God please yes!
Collecting urllib3<1.27,>=1.25.4 (from botocore<1.35.0,>=1.34.48->boto3<2,>=1.9.253->watchtower)
Using cached urllib3-1.26.18-py2.py3-none-any.whl.metadata (48 kB)
I keep having to do this
pip install watchtower --no-dependencie
pip install boto3 --no-dependencie
pip install botocore --no-dependencie
from botocore.
One more thing is that the application I am working on also uses requests
, which uses urllib3
in turn. I continue to wish that botocore
could leave this up to the higher-level application. This was part of my original reqeust.
P.S. Yes I do totally understand the need to keep the functionality stable, avoiding breaking changes from underlying modules such as urllib3. But there will be users who would rather avoid using outdated versions, especially if they may affect any other libraries. I guess this is a situation we cannot avoid given the design of Python & PIP installations.
from botocore.
Just to clarify, Requests has no requirements to update to urllib3 2.0, it's compatible with both the 1.x and 2.x branches. urllib3 1.26.x is still actively maintained and is receiving continued releases for the foreseeable future.
But yes, you're right, a lot of the defensiveness in our pins is due to how Python's packaging infrastructure works. Without the pins we'd have had ~4-5 large scale breakages for boto3 which is the most downloaded python package. In the rare occassions those do happen, it's felt across a large portion of the python ecosystem. We have to weigh safety over total flexibility since there are breakages with a major version bump in dependencies.
from botocore.
Why not have botocore 1.x for ancient Python versions and botocore 2.x for all the modern cool kids who stick with active stable releases and actually maintain their code base?
from botocore.
This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
from botocore.
Related Issues (20)
- When uploading, checking 'Expect' header results in "TypeError: sequence item 0: expected str instance, bytes found" HOT 46
- Support urllib3 2.1.0 and 2.2.0 to be installed HOT 2
- Add pagination support for App Runner ListServices HOT 2
- ExpiredTokenException: Error when retrieving credentials from container-role HOT 6
- Add missing waiters for RDS Blue green deployment HOT 2
- PageIterator skipping a page when browsing `list_objects_v2` with Delimiter
- Urllib3 version upgrade to >2.0 HOT 3
- Relax urllib3 upper bound HOT 3
- 100-continue handled incorrectly HOT 2
- EventStreamError is a 400 and never retries, but some EventStreamErrors are retriable HOT 1
- KeyError: 'error' when creating client/getting object HOT 3
- [EC2] `PlatformValues` enum is incorrect in botocore shapes
- Fix wrong documentation in ec2 import-key-pair around base64 encoding HOT 3
- ResponseStreamingError not retried with urllib3 2.x HOT 2
- Container credentials never refresh HOT 3
- Relax urllib3 upper bounds HOT 2
- Allow urllib3 2.2.1 to be installed HOT 4
- KeyValueStoreAssociations missing in CloudFront CreateFunction HOT 3
- botocore 1.34.63 requires outdated urllib3 with python 3.10 but python 3.11 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from botocore.