On 2021-01-07 10:15:59 +0000 (+0000), Stephen Finucane wrote: [...]
Out of curiosity, would limiting the list in lower-constraints to the set of requirements listed in 'requirements.txt' help matters? That would at least ensure the lower version of our explicit dependencies worked. The main issue I could see with this is potentially a lot of thrashing from pip as it attempts to find versions of implicit dependencies that satisfy the various constraints, but I guess we'll have to address that when we come to it.
You can try it locally easily enough, but my recollections from before is that what you'll find for larger projects is old releases of some dependencies don't pin upper bounds of their own dependencies and wind up not being usable because they drag in something newer than they can actually use, so it'll be an iterative effort to figure those out. Which has essentially been my problem with that lower bounds testing model, it's a manual effort to figure out what versions of modules in the transitive set will actually be compatible with one another, and then you basically get to redo that work any time you want to adjust a lower bound for something. But do give it a shot and let us know if it winds up being easier than all that. -- Jeremy Stanley