feat: relax outdated dependency constraints for gcloud and mock#3420
Open
hiro-o918 wants to merge 2 commits intospotify:masterfrom
Open
feat: relax outdated dependency constraints for gcloud and mock#3420hiro-o918 wants to merge 2 commits intospotify:masterfrom
hiro-o918 wants to merge 2 commits intospotify:masterfrom
Conversation
- gcloud group: - google-api-python-client: >=1.6.6,<2.0 -> >=2.0 - google-auth: ==1.4.1 -> >=2.0 - google-auth-httplib2: ==0.0.3 -> >=0.2 - add httplib2>=0.22 (used directly by luigi.contrib.bigquery and gcs) - common and visualizer groups: - mock: <2.0 -> unconstrained (the <2.0 cap dates back to Python 2 era) Pin-style constraints like google-auth==1.4.1 (2018) blocked security updates and made dependency resolution unnecessarily strict for downstream users. Upper bounds are dropped following the recommendation that libraries should avoid them; CI will catch breaking changes when they happen. Signed-off-by: Hironori Yamamoto <mr.nikoru918@gmail.com>
`sts_mock.client.assume_role.called_with(...)` was a no-op:
- `.client` is a child mock that was never set up by the patch
- `called_with` (without `assert_` prefix) is just an attribute access, not an assertion
The correct call site is `boto3.client("sts")` so the patched mock should be
asserted via `sts_mock.return_value.assume_role.assert_called_with(...)`.
This bug was previously hidden by `mock<2.0` which silently accepted
arbitrary attribute access. With `mock>=2.0` the unsafe attribute name
is detected and raises AttributeError.
Signed-off-by: Hironori Yamamoto <mr.nikoru918@gmail.com>
dlstadther
reviewed
Apr 17, 2026
Comment on lines
+109
to
+112
| "google-api-python-client>=2.0", | ||
| "google-auth>=2.0", | ||
| "google-auth-httplib2>=0.2", | ||
| "httplib2>=0.22", |
Collaborator
There was a problem hiding this comment.
I do worry that by these not defining upper bounds that major releases will be allowed through and break things without warning. However, it would be limited only to users installing luigi[gcloud].
Would you be opposed to setting upper bounds on major version here?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Relax outdated version constraints in
pyproject.toml.google-api-python-client>=1.6.6,<2.0>=2.0google-auth==1.4.1>=2.0google-auth-httplib2==0.0.3>=0.2httplib2>=0.22(added; used directly inbigquery.py/gcs.py)mock<2.0Pins like
google-auth==1.4.1(2018) andmock<2.0blocked security updates and constrained downstream resolution. Upper bounds dropped — luigi is a library and CI will catch regressions.Also fixes a latent test bug in
test/contrib/s3_test.pythat was masked bymock<2.0:called_with(withoutassert_prefix) is a no-op attribute access, andsts_mock.client.assume_rolereferenced the wrong child mock. Withmock>=2.0this is detected and raisesAttributeError.