Bug 1163532 - mypy dependency broken after python3-typed-ast update
mypy dependency broken after python3-typed-ast update
Status: RESOLVED WONTFIX
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Development
Leap 15.1
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Sebastian Wagner
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-12 21:48 UTC by Kevin Wolf
Modified: 2021-04-18 11:28 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Wolf 2020-02-12 21:48:39 UTC
Trying to run mypy on a fully updated Leap 15.1 fails with:

pkg_resources.DistributionNotFound: The 'typed-ast<1.4.0,>=1.3.1' distribution was not found and is required by mypy

I see that the originally shipped version 1.3.1-lp151.1.1 of python3-typed-ast (which was supported by mypy) was updated to 1.4.1-lp151.2.3.1 without also updating mypy, therefore breaking its dependency (which is incorrectly expressed in the RPM metadata as just python3-typed-ast >= 1.1.0).

Downgrading python3-typed-ast back to  1.3.1-lp151.1.1 as a workaround makes mypy work again for me.
Comment 1 Sebastian Wagner 2020-02-20 08:52:51 UTC
Hi,

I will update mypy in Leap as well, as typed-ast has been upgraded because of security issues:
https://bugzilla.suse.com/show_bug.cgi?id=1161562
https://bugzilla.suse.com/show_bug.cgi?id=1161563
Comment 2 Sebastian Wagner 2020-02-23 11:08:25 UTC
Request for downgrading typed-ast: https://build.opensuse.org/request/show/778546

Upgrading mypy would have required upgrades of (at least) mypy_extensions, typing and typing_extenstions too and I doubt that would have been accepted.
Comment 3 Sebastian Wagner 2020-02-23 11:13:46 UTC
https://build.opensuse.org/request/show/778550
Comment 4 Sebastian Wagner 2020-03-15 16:36:31 UTC
Downgrade request got accepted but still typed-ast version 1.4.1 gets installed :/ No idea what the problem is
Comment 5 Swamp Workflow Management 2020-05-01 10:14:15 UTC
openSUSE-SU-2020:0567-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 1161562,1161563,1163532
CVE References: CVE-2019-19274,CVE-2019-19275
Sources used:
openSUSE Leap 15.1 (src):    python-typed-ast-1.3.1-lp151.2.6.1
Comment 6 Swamp Workflow Management 2020-05-04 13:29:28 UTC
openSUSE-SU-2020:0609-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 1161562,1161563,1163532
CVE References: CVE-2019-19274,CVE-2019-19275
Sources used:
openSUSE Backports SLE-15-SP1 (src):    python-typed-ast-1.3.1-bp151.2.6.1
Comment 7 Matthias Bach 2020-06-14 20:08:40 UTC
I am still getting the newer version of typed-ast on Leap 15.1 and mypy is thus broken. Shouldn't the restriction on the typed-ast version be reflected in package dependencies? Currently the mypy package only seems to restrict typed-ast to be >= 1.1.0 but does not have the < 1.4.0 restriction implemented.
Comment 8 Sebastian Wagner 2021-04-18 11:28:08 UTC
Unfortunately we couldn't resolve this bug, but 15.1 is now EOL