Lower requirement for urllib

[svrooij]

Are the dependency requirements set in stone? Or can we lower urllib and httpx to something that works with these package constrains?

kiota-python/packages/http/httpx/pyproject.toml

Lines 31 to 32 in dbda749

	httpx = {extras = ["http2"], version = ">=0.28"}
	urllib3 = "^2.2.2"

urllib has a requirement of ^2.2.2 and I was wondering if we could adjust it to something that works with the following package constrain urllib3>=1.26.5,<2

for httpx, it seems the http2 extras are not referenced directly, so maybe the references can be changed to httpx>=0.28.0 and provide an extra if you want to talk to http2 servers? Like this

Reason is, I've built this library for the Volvo Connected Vehicle api svrooij/py_volvo_connected that I want to use it in Home Assistant which has this package contrains

Without lowering the requirement (and #448), I would not be able to use kiota for this project and would be forced to go look for something else.

[svrooij]

@baywet maybe we can do this for version 1.8.0 as well?

[baywet]

Hi @svrooij
Thank you for using kiota and for reaching out.

Somehow I missed the notification for this one.

The design choice here for http/2 is to add it systematically so clients "automatically" upgrade to http/2 when available without developers having to do anything. Is that causing an issue on your end? (besides heavier deployments)

As for urllib, I believe a range should work here (granted that the CI is happy with the change). It's probably on a fixed version because of dependabot updates to begin with. Are you getting version resolution conflicts?

@baywet maybe we can do this for version 1.8.0 as well?

Versions are cheap thanks to automation, I'd rather have that as another patch as it'll provide more stop gaps to consumers in case something is wrong.

[svrooij]

According to the version history of urllib3 version 1.26.20 is actually newer then version 2.2.2 which is a current requirement.

Because there were some issues with version 2.0.* and 2.1.* other big projects (home assistant, one of the most popular project on github completely built in python) blocked urllib3 with <2.

I would suggest to set the urllib3 dependency to urllib3 = ">=1.26.17,!2.0.*,!2.1.*" this will allow more people to utilize kiota, while still skipping the faulty versions and not blocking people from using >2.1 if they want

[baywet]

Thank you for the additional information.

I think there's a serious mixing issue here.

If you search for "urllib" you'll get about a dozen results, but this is misleading since the vast majority of them come from the BCL parse utils

Searching for urllib3 instead only returns two results: the toml entry and the place where we set up the minimum TLS version for the client.

This looks highly suspicious to me: using types from one HTTP client lib to setup properties on another lib. I think somebody got mixed up here.

My suggestion is to:

• remove the line in the middleware
• remove the dependency all together
• add the TLS configuration (1.2 or above) in the client factory instead

more context:

• How can I use a custom SSLContext / PyOpenSSLContext when creating a Client? encode/httpx#924
• https://stackoverflow.com/a/49766578/3808675

@andrueastman I'd like your input on this one please.