Published package `types-typing-extensions` is overriding `typing_extensions.pyi`

[erictraut]

Many of the core stdlib stubs, including builtins.pyi import symbols from typing_extensions. The typing_extensions.pyi stub is now part of the stdlib stubs, but for a short period of time after the reorganization of typeshed, it was considered a third-party stub. During that time, the automated bot published it to pypi as a stub package called types-typing-extensions. A number of users have installed this stub library, and it's now causing problems because it's overriding the more recent typing_extensions.pyi in typeshed. We've had several reports of this by pyright and pylance users over the past several days.

I discussed this with @JelleZijlstra, and he had a couple of suggestions. One suggestion is to remove the (old) types-typing-extensions package from pypi so it doesn't continue to create problems. He said that he can't do that from is PyPi account because the automated bot owns the types-* projects. He asked me to open an issue here.

For reference, here's the issue in the pyright issue tracker: https://github.com/microsoft/pyright/issues/3037.

[hauntsaninja]

There's a chance that this could break versions of mypy released during that short period of time. This wouldn't be the worst, as long as it breaks loudly (which I believe it should). I'll double check which (if any) versions are affected.

Edit: I think no mypy releases are affected, since https://github.com/python/mypy/pull/10347 made it into 0.900

I couldn't find meaningful uses of types-typing-extensions on cs.github.com or grep.app, so that's good!

Not sure what https://github.com/typeshed-internal/stub_uploader/blob/f6bf0d8684109691e581e61071fbe3e499291b1d/data/uploaded_packages.txt#L138 is used for — should it be cleaned up?

We could also release a new types-typing-extensions that raises an error on installation. The effect should be about the same.

[srittau]

@ilevkivskyi @JukkaL Can one of you log in as user typeshed_bot on PyPI and yank all released versions of types-typing-extensions and also types-pkg-resources (while you're at it). I think there was one or two more packages that got wrongly added as part of the new structure, but I can't remember which ones those were.

[Avasam]

This issue is left open and I still see versions of https://pypi.org/project/types-typing-extensions and https://pypi.org/project/types-pkg-resources . Is there still something left to do here?

[ilevkivskyi]

@srittau OK, I just yanked all releases of types-typing-extensions (and also deleted it from uploaded_packages.txt). I however noticed that types-pkg-resources has 20K downloads per day, and is actually designated as "critical project" on PyPI (whatever it means). Are you sure we should yank it?

(I also checked types-typing-extensions has 2K downloads per day, but I guess those may be some automated mirrors)

[Akuli]

Removing a package with many downloads from pypi doesn't seem like a good idea to me, because someone could upload a malicious package with the same name.

Edit: Nevermind, it seems that this doesn't apply to yanking.

[srittau]

We should probably upload a manual version of types-pkg-resources saying: Don't use this, use types-setuptools instead. But keeping it for now is probably the safer option.