MachineLearningNotebooks: Azureml-core dependencies incompatible in latest release 1.23.0

Hi. I tried to update an installation environment that depended on azureml-core, and when trying to install it using pipenv update, the tool could not find a stable set of packages to install. I had to constrain the library to azureml-core==1.22.0 for this update to pass. It seems an incompatibility regression of packages has been introduced in version 1.23.0. From the error message I received from pipenv, it was caused by cryptography package.

EDIT: This is the pipenv message with incompatible packages: cryptography!=1.9,!=2.0.*,!=2.1.*,!=2.2.*,<4,<4.0.0,<=3.2,>=0.6,>=1.1.0,>=2.0,>=2.1.4,>=3.2,>=3.3.1. The requirement <=3.2 is new from version 1.23.0, apparently.

I report this encountered issue here since I could not find a better location. Let me know if I should redirect this issue somewhere else.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 3
  • Comments: 23 (4 by maintainers)

Most upvoted comments

This issue has cropped up again after latest release of PyopenSSL 22.1.0, Sept 25th. PyopenSSL is pulling cryptography 38.0.x whereas azureml-core is expecting it to be v37.0.x.

Thank you! I have unpinned the package and everything updated correctly. Cryptography updated to latest version. Will now close.

Very good point to switch from referencing metapackage, though it won’t solve the issue. azureml-core is the one that brings cryptography dependency. Upper bounding that dependency going forward is very unlikely as many versions of cryptography have vulnerabilities and AzureML will be forced eventually to update the range. Pinning shouldn’t even happen with this release as AzureML SDK not directly depend on it, I believe that was temporarily done to mitigate ongoing issue

Thank you needuv for the suggestions. We will stay in version 1.22.0 for the time being as this is sufficient atm. In future azureml versions we will check if cryptography <=3.2 is still required (before the update we had version 3.4.6), and we will update when the issue is resolved.

We cannot switch to conda. Adding an extra dependency mitigates the issue, and we would consider adding it if the upper bound requirement remains in future azureml versions.

May I inquire if cryptography<=3.2 is going to persist in future versions of azureml?

I tried to look on the dependencies graph. I found pyopenssl, version 20.0.1 requires cryptography>=3.2. pyopenssl is a direct dependence of azureml-core.

These are two dependency lines with version azureml-core version 1.22.0: pyopenssl [required: <21.0.0, installed: 20.0.1] cryptography [required: >=3.2, installed: 3.4.6]