feat: remove upper bounds on runtime dependencies #3240
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Contributor
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Feature or Bugfix
Detail
Removing upper version bounds in runtime dependencies in the AWS SDK for pandas (awswrangler).
Open constraints are especially important for SDK that typically sit at the root of dependency tree and are used in many different environments with different configurations. Being able to install and update dependency versions without conflict is important for SDK users, especially when consuming new functionality of dependencies (pandas, numpy, pyarrow, etc) or security patches.
Conservative approach to upper bound dependencies guarantees safe library/SDK operation but limits its use and introduces significant maintenance burden. This burden may be acceptable for SDK\libraries with small number of dependencies (e.g. boto3) where each dependency can be reviewed and tested prior to upgrade, but grows exponentially with the number of dependencies making it impossible to test for every possible change. Realistically, the same test harness is often ran, that does not test for individual changes in dependencies, and it is unlikely to catch issues with that particular dependency until the user reports it. This results in hiding and delaying discovering issues and slowing down development process. Additionally, this introduces churn to update the bounds when nothing actually broke or changed.
With this change, we suggest to remove upper bounds and rely on user reports to discover potential issues in dependencies. We fully acknowledge this change may impact the number of reports about potential dependency incompatibilities and breaking changes in dependencies. After careful consideration, based on development effort estimation and severity of the issue, we may introduce upper bounds only on dependencies where it’s actually needed.
Suggested approach:
Reference
Relates
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.