urllib3 2.x compatibility blocked by appengine-python-standard dependency constraint #3325
Description
Problem Description
We are unable to update urllib3 to version 2.5.0 (required for CVE fixes) due to a dependency conflict in the odh-elyra package chain.
Dependency Conflict Chain
The conflict occurs through this dependency chain:
odh-elyra==4.2.3 → appengine-python-standard==1.1.10 → urllib3>=1.26.2,<2
Error Details
When attempting to resolve dependencies with uv lock, we get:
❯ uv lock
Using CPython 3.12.0
× No solution found when resolving dependencies for split (markers: python_full_version == '3.12.*' and implementation_name == 'cpython' and sys_platform == 'linux'):
╰─▶ Because appengine-python-standard==1.1.10 depends on urllib3>=1.26.2,<2 and odh-elyra==4.2.3 depends on appengine-python-standard==1.1.10, we can conclude that odh-elyra==4.2.3 depends on urllib3>=1.26.2,<2.
Context
- We are working on updating urllib3 across all notebook images to version 2.5.0 to address security vulnerabilities
- The
appengine-python-standardpackage constrainturllib3<2is blocking this security update - Related upstream issue: Allow using urllib3 v2+ GoogleCloudPlatform/appengine-python-standard#121
Request
Could you please:
- Update the
appengine-python-standarddependency to a version that supports urllib3 2.x, or - Remove the
appengine-python-standarddependency if it's not essential, or - Provide guidance on how to resolve this conflict while maintaining security updates
Additional Information
- PR Context: RHAIENG-722: bump
boto3,kfp,requests, andurllib3across all Pipfiles to allow for CVE update to urllib3 2.5.0 opendatahub-io/notebooks#1875 - Comment Context: RHAIENG-722: bump
boto3,kfp,requests, andurllib3across all Pipfiles to allow for CVE update to urllib3 2.5.0 opendatahub-io/notebooks#1875 (comment) - Affected Package:
odh-elyra==4.2.3 - Target urllib3 Version:
2.5.0 - Python Version:
3.12
This issue is blocking security updates across multiple notebook runtime environments. Any assistance would be greatly appreciated.
Thank you!