Skip to content

SK-2872: Public Release - Clean up and upgrade SDK production dependencies#267

Merged
saileshwar-skyflow merged 2 commits into
mainfrom
release/26.6.0
Jun 12, 2026
Merged

SK-2872: Public Release - Clean up and upgrade SDK production dependencies#267
saileshwar-skyflow merged 2 commits into
mainfrom
release/26.6.0

Conversation

@saileshwar-skyflow

@saileshwar-skyflow saileshwar-skyflow commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Why

  • Unused deps shipped to consumers: 4 packages in install_requires were never imported in skyflow/ source — every pip install skyflow was pulling them in unnecessarily
  • Unpinned deps: cryptography, httpx, coverage, codespell, ruff had no version constraints, meaning any version including breaking or vulnerable ones could silently install
  • Consumer conflicts: requests ~= 2.32.3 used compatible-release operator which locks to 2.32.x — same pattern that caused dependency conflicts for existing customers. Loosened to floor-only >= 2.28.0

Goal

  • pip install skyflow resolves with a clean minimal set of runtime deps that don't conflict with consumers' existing environments
  • All deps have explicit minimum floors so no silent version drift
  • requirements.txt mirrors setup.py install_requires exactly

Changes

Removed from install_requires (4 deps)

Package Reason
python_dateutil Not imported anywhere in skyflow/
setuptools Build tool only; used in setup.py itself, not at runtime
urllib3 Not directly imported; pulled in transitively by requests
DateTime Zope legacy package, not imported anywhere in skyflow/

Updated constraints

Package Old New Reason
pydantic >= 2 >= 2.0.0 Fern generator minimum is >= 1.9.2 but floor set to >= 2.0.0 — SDK uses pydantic v2 API throughout, v1.x would cause import errors
pydantic-core (transitive) >= 2.18.2 Fern generator minimum; transitive via pydantic, pinned explicitly for clarity
typing-extensions >= 4.7.1 >= 4.0.0 Fern generator minimum
httpx (unpinned) >= 0.21.2 Fern generator minimum
PyJWT >= 2.12, < 3 >= 2.12, < 3 CVE-2026-32597 floor — intentional, kept
requests ~= 2.32.3 >= 2.28.0 Floor-only; removes minor-version lock that caused consumer conflicts
cryptography (unpinned) >= 44.0.2 Security baseline pin
python-dotenv >= 1.0, < 2 >= 1.1.0, < 2 Bumped floor to current stable

Dev extras updated

Package Old New
codespell (unpinned) >= 2.4.1
ruff (unpinned) >= 0.9.0
pre-commit not listed >= 4.3.0

Testing

  • Full local test suite: 615 passed, 0 failed
  • All constraints use >= (floor-only) as required for a published SDK — consumers can resolve alongside their own dependency graphs without conflicts

@saileshwar-skyflow saileshwar-skyflow merged commit 800cee3 into main Jun 12, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skyflow-bharti skyflow-bharti skyflow-bharti approved these changes

@Devesh-Skyflow Devesh-Skyflow Devesh-Skyflow approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@saileshwar-skyflow @skyflow-bharti @Devesh-Skyflow