Conversation
Signed-off-by: Aniket Paluskar <apaluska@redhat.com>
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "feast[test, aws, azure, cassandra, clickhouse, couchbase, delta, docling, duckdb, elasticsearch, faiss, gcp, ge, go, grpcio, hazelcast, hbase, ibis, image, k8s, mcp, milvus, mssql, mysql, openlineage, opentelemetry, spark, trino, postgres, pytorch, qdrant, rag, ray, redis, singlestore, snowflake, sqlite_vec]", | ||
| "build", | ||
| "virtualenv==20.23.0", | ||
| "cryptography>=46.0.5", |
There was a problem hiding this comment.
🔴 Conflicting cryptography version constraints between test and ci extras make ci/dev/docs uninstallable
The test extra pins cryptography>=43.0,<44 at pyproject.toml:148, while the ci extra adds cryptography>=46.0.5 at pyproject.toml:155. Since ci depends on feast[test] (pyproject.toml:152), pip must satisfy both constraints simultaneously — but no version exists that is both <44 and >=46.0.5.
Root Cause and Impact
The PR intended to bump cryptography to >=46.0.5 to fix a subgroup validation vulnerability in SECT curves, but only added the new constraint to the ci extra without updating the old >=43.0,<44 constraint in the test extra.
When resolving feast[ci], pip collects requirements from both test (via feast[test] in ci) and ci itself:
- From
test:cryptography>=43.0,<44 - From
ci:cryptography>=46.0.5
The intersection of [43.0, 44.0) and [46.0.5, ∞) is empty, so dependency resolution will fail.
Impact: Installing feast[ci], feast[dev], or feast[docs] will fail with an unsatisfiable dependency error. This breaks the CI pipeline and all developer/documentation installs.
Prompt for agents
In pyproject.toml, the `test` extra at line 148 still has `cryptography>=43.0,<44` which conflicts with the new `cryptography>=46.0.5` added in the `ci` extra at line 155. To fix this:
1. Update pyproject.toml line 148 to change `cryptography>=43.0,<44` to `cryptography>=46.0.5` (or remove the upper bound so it becomes e.g. `cryptography>=46.0.5`).
2. Since both `test` and `ci` would then have the same constraint, you could optionally remove the duplicate `cryptography>=46.0.5` from the `ci` extra at line 155, keeping it only in `test`.
This ensures that `feast[ci]` (which includes `feast[test]`) has consistent, satisfiable cryptography constraints.
Was this helpful? React with 👍 or 👎 to provide feedback.
3 participants
What this PR does / why we need it:
Which issue(s) this PR fixes:
Misc