elyra
elyra copied to clipboard
urllib3 2.x compatibility blocked by appengine-python-standard dependency constraint
Problem Description
We are unable to update urllib3 to version 2.5.0 (required for CVE fixes) due to a dependency conflict in the odh-elyra package chain.
Dependency Conflict Chain
The conflict occurs through this dependency chain:
odh-elyra==4.2.3 → appengine-python-standard==1.1.10 → urllib3>=1.26.2,<2
Error Details
When attempting to resolve dependencies with uv lock, we get:
❯ uv lock
Using CPython 3.12.0
× No solution found when resolving dependencies for split (markers: python_full_version == '3.12.*' and implementation_name == 'cpython' and sys_platform == 'linux'):
╰─▶ Because appengine-python-standard==1.1.10 depends on urllib3>=1.26.2,<2 and odh-elyra==4.2.3 depends on appengine-python-standard==1.1.10, we can conclude that odh-elyra==4.2.3 depends on urllib3>=1.26.2,<2.
Context
- We are working on updating urllib3 across all notebook images to version 2.5.0 to address security vulnerabilities
- The
appengine-python-standardpackage constrainturllib3<2is blocking this security update - Related upstream issue: https://github.com/GoogleCloudPlatform/appengine-python-standard/issues/121
Request
Could you please:
- Update the
appengine-python-standarddependency to a version that supports urllib3 2.x, or - Remove the
appengine-python-standarddependency if it's not essential, or - Provide guidance on how to resolve this conflict while maintaining security updates
Additional Information
- PR Context: https://github.com/opendatahub-io/notebooks/pull/1875
- Comment Context: https://github.com/opendatahub-io/notebooks/pull/1875#discussion_r2310019051
-
Affected Package:
odh-elyra==4.2.3 -
Target urllib3 Version:
2.5.0 -
Python Version:
3.12
This issue is blocking security updates across multiple notebook runtime environments. Any assistance would be greatly appreciated.
Thank you!
appengine-python-standard was introduced in
- https://github.com/elyra-ai/elyra/pull/3148
See also
- https://github.com/elyra-ai/elyra/pull/3323