Version locking requests dependency in plaid-python and plaid-python-legacy

[jroblak]

Currently plaid-python and plaid-python-legacy both have a sub-dependency of requests and it is locked to a specific version ==2.7.0.

It is extremely rare to have a library lock a sub-dependency like this, as it causes all sorts of issues with sub-dependency clashes (in fact, our application has over 50 packages, and 0 have a fully locked sub-dependency, all are >= other than plaid-python), and it locks the users of your library out of valuable bug fixes that have been implemented since 2.7.0 was released in May of 2015.

Finally, requests will not introduce any breaking changes except on major version updates (http://docs.python-requests.org/en/master/community/release-process/).

For those reasons, I would recommend you change your dependency on requests to >=2.7.0, or <3.0.0,>=2.7.0 if you want to be safer.

[joyzheng]

@jroblak, thanks for reporting! As of version 2.0.1, the dependency on requests in setup.py is pinned at >=2.7.0 rather than ==. Are you still running into issues on a newer version?

[jroblak]

Looks fantastic, thank you! Would you be able to update this for legacy as well, or are changed frozen there?

[joyzheng]

It's a small enough change that I think we should be okay updating legacy as well -- got a PR open for that here: plaid/plaid-python-legacy#7.

[jroblak]

Awesome! Thanks for your responsiveness.

…

On Mon, Jan 29, 2018 at 12:10 PM, Joy Zheng ***@***.***> wrote: It's a small enough change that I think we should be okay updating legacy as well -- got a PR open for that here: plaid/plaid-python-legacy#7 <plaid/plaid-python-legacy#7>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#113 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABmht_tEoIzCqENddv8qUO51Gu8g1V02ks5tPftYgaJpZM4Rtja3> .