Does auth0-python need to be restricted to package requests >= 2.22.0?

[BasilaryGroup]

Description

Version 3.8.1 has a restrictive dependency upon requests >= 2.22.0 (see 0c5634c). I now have conflicts with other Python packages such as awsebcli 3.15.2 (Amazon Web Services Elastic Beanstalk CLI) which is limited to request <2.21, >=2.20.1.

Have their been changes to auth0-python 3.8.1 that force it to be so restrictive in its dependency upon requests 2.22.0? Or can the dependency be relaxed?

I'm now kept warm by one of the nine circles of Python dependency hell.

Environment

• Python 3.7.2
• auth0-python 3.8.1
• awsebcli 3.15.2

Reproduction

$ pip3 install auth0-python==3.8.1
$ pip3 install awsebcli==3.15.2
....
Successfully built awsebcli
Installing collected packages: requests, awsebcli
  Found existing installation: requests 2.22.0
    Uninstalling requests-2.22.0:
      Successfully uninstalled requests-2.22.0
  Found existing installation: awsebcli 3.15.0
    Uninstalling awsebcli-3.15.0:
      Successfully uninstalled awsebcli-3.15.0
Successfully installed awsebcli-3.15.2 requests-2.20.1

[sashasimkin]

@lbalmaceda can you please share some insight on this?

[lbalmaceda]

Hi @BasilaryGroup @sashasimkin. We took the opportunity to bump that value to the latest minor release fixing license and security vulnerabilities that were reported by our compliance tools and are now fixed. Assuming we all follow semver there should be no issue with us bumping anything but the major version of a dependency. In any case, I think we can lower the minimum back to the version where this issue was fixed.

How does >=2.14.0 sound?

[BasilaryGroup]

Sorry for the late response. Moving the dependency to >=2.14.0 works great for us. Thank you!