yolov5-pip forced boto3 consumption invalidates py3.7-9 support #13312
Labels
bug
Something isn't working
dependencies
Pull requests that update a dependency file
python
Pull requests that update Python code
Search before asking
YOLOv5 Component
Other
Bug
Problem
yolov5-pip (v7.0.13 PyPi packaging) is currently forcing end-users to consume boto3, which brings in transitive updates to botocore that constrain
urllib3
on python version <3.10 due to security updates. This functionally ends yolov5 support for python versions 3, 3.7-9 based on end-user environment configuration.(e.g. yolov5 cannot be installed in a py3.9 environment that is also using
gradio>=4.27.0
, which introduces aurllib3~=2.0
security constraint)Ask / Potential Solution
yolov5 can retroactively continue to support python <3.10 environments by vending an optional configuration that omits enforced consumption of AWS-CLI dependencies (e.g.
pip install yolov5[no-aws-cli]
while not disrupting downstream end-users that are expecting the enforced consumption).Environment
n/a - reproducible environment cannot solve due to above problem (see reproduction section for example)
Minimal Reproducible Example
Create a minimal conda environment (or use another preferred venv)
Install any dependency that has enforced secops pins on
urllib3>=2.0
Install yolov5
Example failure:
Additional
No response
Are you willing to submit a PR?
The text was updated successfully, but these errors were encountered: