On 2020-04-18 16:18:24 +0200 (+0200), Radosław Piliszek wrote:
On Sat, Apr 18, 2020 at 2:56 PM Jeremy Stanley <fungi@yuggoth.org> wrote: [...]
In what way is it not enforced? Or put another way, what were you expecting it to enforce which it doesn't?
Oh, I mean the lockfile part. If lower-constraints jobs pass without enforcing each transitive dependency, then it's not enforced in this way. [...]
I wouldn't mind digging into a specific example of this. It seems likely to be one (or more) of: * an incorrect or incomplete configuration * a misunderstanding about what is being constrained * a bug in pip or setuptools * a broken CI job The way it's supposed to work is that when pip decides to install a package (whether directly or as a dependency of something else) it checks the available versions of that package against the supplied list of version constraints and errors if there is no available version of the package which meets those constraints. If that's not what's happening, then something's clearly wrong. -- Jeremy Stanley