Pin Flask and rdflib major/minor versions

[juhoinkinen]

Currently Flask and rdflib are loosely pinned in pyproject.toml:

flask = ">=1.0.4,<3"
...
rdflib = ">=4.2,<7.0"

I meant to pin all major/minor versions of all non-dev dependencies as suggested in #683, but missed these two.

Lets do it for the next release, however wait for connexion 3 release, as the current connexion version 2.14 dependens on not-latests Flask version.

[juhoinkinen]

Also the versions of system packages for Voikko in the Docker image could be pinned. Current ones are the following:

docker run -it quay.io/natlibfi/annif:apt-upgrade apt-cache policy libvoikko1 voikko-fi
libvoikko1:
  Installed: 4.3-1+b1
  Candidate: 4.3-1+b1
  Version table:
 *** 4.3-1+b1 100
        100 /var/lib/dpkg/status
voikko-fi:
  Installed: 2.4-1
  Candidate: 2.4-1
  Version table:
 *** 2.4-1 100
        100 /var/lib/dpkg/status

[juhoinkinen]

In branch update-dependencies-v1.0 Flask is pinned to 2.2.* instead of newer 2.3.* due to the requirement by Connexion v2.14.2.

Changing pinning of rdflib from >=4.2,<7.0.* to 6.0.* actually downgrades rdflib and urllib3:

(annif-py3.8) jmminkin@lx8-9811-008:/home/local/jmminkin/git/Annif$ poetry update
Updating dependencies
Resolving dependencies... (8.6s)

Package operations: 0 installs, 2 updates, 0 removals

  • Updating urllib3 (2.0.4 -> 1.26.16)
  • Updating rdflib (6.3.2 -> 6.0.2)

Which is strange. I think it is better to not touch this line, to avoid the downgrades.

(Updating rdflib to 7.* is blocked by the requirement by stwfsapy.)

[osma]

How about pinning rdflib to 6.3.* instead? That would match the currently used version (6.3.2).

[juhoinkinen]

How about pinning rdflib to 6.3.* instead? That would match the currently used version (6.3.2).

Yes, that is the right pinning ofcourse. And using it does not downgrade urllib3.

[juhoinkinen]

Also the versions of system packages for Voikko in the Docker image could be pinned. Current ones are the following:

docker run -it quay.io/natlibfi/annif:apt-upgrade apt-cache policy libvoikko1 voikko-fi
libvoikko1:
  Installed: 4.3-1+b1
  Candidate: 4.3-1+b1
  Version table:
 *** 4.3-1+b1 100
        100 /var/lib/dpkg/status
voikko-fi:
  Installed: 2.4-1
  Candidate: 2.4-1
  Version table:
 *** 2.4-1 100
        100 /var/lib/dpkg/status

@osma Any opinion on pinning the system packages? Some Debian versions use different voikko package versions / version numbers:

• https://packages.debian.org/bookworm/libvoikko1
• https://packages.debian.org/bookworm/voikko-fi

Now I think pinning system packages is not necessary.

[osma]

Any opinion on pinning the system packages? Some Debian versions use different voikko package versions / version numbers

In my understanding, choosing a specific Debian stable release (e.g. bookworm) in practice pins the voikko/libvoikko versions into a very narrow range. Only serious bugs will be fixed by Debian, and if that happens, we probably want to upgrade to the updated versions. So I don't think pinning on that level is necessary.