Skip to content

Conversation

cgoldberg
Copy link
Contributor

@cgoldberg cgoldberg commented Aug 26, 2025

User description

💥 What does this PR do?

This PR loosens the dependency specifiers used in Python packaging configuration.

Since Selenium is a library used in various projects, we can't force specific versions of our dependencies on users because it might conflict with different versions of the same packages they use with other libraries. However, we want to ensure the selenium package still works with some range of declared dependencies, and not just let it pull in possibly incompatible dependencies on installation. There is no perfect solution for this.

Currently we use the "compatible release" specifier for Python package dependencies, which allows new dependency versions within the same minor version. Based on user feedback, this seems to be too strict. This PR changes the dependency specifications to use a minimum and maximum version instead, with the maximum being the next major version.

This will allow more installation flexibility, while (hopefully) not pulling in new dependency versions that introduce breaking changes (major version upgrades).

💡 Additional Considerations

Going forward, we would raise the minimum version occasionally with new releases. For CI and development, we will continue to pin a specific version via requirements.txt.

🔄 Types of changes

  • Build/Packaging

PR Type

Other


Description

  • Changed dependency specifiers from compatible release (~=) to minimum/maximum version ranges

  • Updated trio, trio-websocket, typing_extensions, and websocket-client version constraints

  • Allows more installation flexibility while preventing major version conflicts


Diagram Walkthrough

flowchart LR
  A["Compatible Release Specifiers"] -- "Replace with" --> B["Min/Max Version Ranges"]
  B --> C["More Installation Flexibility"]
  B --> D["Prevent Major Version Conflicts"]
Loading

File Walkthrough

Relevant files
Configuration changes
BUILD.bazel
Update Bazel wheel dependency constraints                               

py/BUILD.bazel

  • Updated dependency version specifiers in Bazel wheel configuration
  • Changed from compatible release (~=) to minimum/maximum version ranges
  • Applied to trio, trio-websocket, typing_extensions, and
    websocket-client
+4/-4     
pyproject.toml
Update pyproject dependency constraints                                   

py/pyproject.toml

  • Updated dependency version specifiers in Python project configuration
  • Changed from compatible release (~=) to minimum/maximum version ranges
  • Applied to trio, trio-websocket, typing_extensions, and
    websocket-client
+4/-4     

@selenium-ci selenium-ci added C-py Python Bindings B-build Includes scripting, bazel and CI integrations labels Aug 26, 2025
Copy link
Contributor

qodo-merge-pro bot commented Aug 26, 2025

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
Possible issue
Fix broken version specifier
Suggestion Impact:The commit added the missing comma, fixing the malformed version specifier exactly as suggested.

code diff:

-        "websocket-client>=1.8.0<2.0",
+        "websocket-client>=1.8.0,<2.0",

The version specifier is invalid due to a missing comma between the lower and
upper bounds. This will break dependency parsing and resolution. Add a comma to
separate the specifiers.

py/BUILD.bazel [335]

-"websocket-client>=1.8.0<2.0",
+"websocket-client>=1.8.0,<2.0",

[Suggestion processed]

Suggestion importance[1-10]: 10

__

Why: The suggestion correctly identifies a malformed version specifier for websocket-client that lacks a comma, which would break dependency resolution, making this a critical fix.

High
Correct malformed dependency range
Suggestion Impact:The commit added the missing comma, correcting the dependency specifier to "websocket-client>=1.8.0,<2.0".

code diff:

-    "websocket-client>=1.8.0<2.0",
+    "websocket-client>=1.8.0,<2.0",

The dependency constraint is malformed because it lacks a comma between
specifiers, violating PEP 508. Insert the comma to ensure valid parsing by build
tools.

py/pyproject.toml [34]

-"websocket-client>=1.8.0<2.0",
+"websocket-client>=1.8.0,<2.0",

[Suggestion processed]

Suggestion importance[1-10]: 10

__

Why: The suggestion correctly identifies a malformed dependency constraint for websocket-client that violates PEP 508 and would break dependency installation, making this a critical fix.

High
  • Update

@SeleniumHQ SeleniumHQ deleted a comment from qodo-merge-pro bot Aug 26, 2025
@cgoldberg cgoldberg requested review from navin772 and shbenzer August 26, 2025 14:37
Copy link
Contributor

@shbenzer shbenzer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, no CVE for these ranges

Copy link
Member

@navin772 navin772 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good and works for our case.
I don't know much but is mentioning non-released version limits as deps a common practice?

@nvborisenko
Copy link
Member

Does it mean I am not be able to upgrade websocket-client package to the latest v2.0 if I really want to use it despite the fact that selenium requires <2.0? Let's say I know what I am doing and I am aware about incompatibility topic. This limitation is kind of recommendation or hard restriction?

@cgoldberg
Copy link
Contributor Author

is mentioning non-released version limits as deps a common practice?

For upper limits, yes that's common practice.

@cgoldberg
Copy link
Contributor Author

Does it mean I am not be able to upgrade websocket-client package to the latest v2.0

This means that during Selenium installation, it will never download and install 2.0+ for you. Once installation is complete, you can upgrade websocket-client to whatever version you want and selenium will attempt to use it at runtime.

@cgoldberg cgoldberg merged commit d3cef1a into SeleniumHQ:trunk Aug 28, 2025
16 checks passed
@cgoldberg cgoldberg deleted the py-loosen-package-dependencies branch August 28, 2025 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
B-build Includes scripting, bazel and CI integrations C-py Python Bindings Review effort 2/5
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants