Incorrect upper bound prevents use of Django 4.1.1+

[adamchainz]

Describe the bug

setup.cfg constrains the maximum Django version:

install_requires =
	django >= 2.2, <= 4.1

With this upper bound it disallows today's Django 4.1.1 bugfix release, and later security releases to come.

Upper bound version constraints are highly discouraged by many - see this blog post. They introduce unnecessary slowness and blocking into the softwawre ecosystem.

I recommend dropping the upper bound entirely.

To Reproduce

$ pip install django==4.1.1 django-oauth-toolkit==2.1.0
...
ERROR: Cannot install django-oauth-toolkit==2.1.0 and django==4.1.1 because these package versions have conflicting dependencies.

The conflict is caused by:
    The user requested django==4.1.1
    django-oauth-toolkit 2.1.0 depends on django<=4.1 and >=2.2

To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict

ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

Expected behavior

Allow upgrades of Django

Version
2.1.0

• I have tested with the latest published release and it's still a problem.
• I have tested with the master branch and it's still a problem.

Additional context
n/a

[n2ygk]

@adamchainz Django doesn't use the major version for breaking changes; minor versions can also have breaking changes (e.g. 3.1->3.2) so we've been conservative and made sure not to claim compatibility with a release prior to confirming it hasn't broken anything. I would be OK with a comparison with an upper bound of django-4.2 but not leave it open-ended. Also, the tox test would need to be updated to include dj41. If you look at the djmain tox test results associated with your PR you will see that they are currently failing with py310-djmain: ignored failed command.

[adamchainz]

I didn't spot that you haven't got tox configuration for Django 4.1. When I saw <= 4.1, it looked like 4.1 was supported, but a mistake had been made that excluded patch versions. I will update my PR to change the tox configuration.

I would urge you to reconsider your position on upper bounds. The linked post is massive but it does expose the issues with using them. After I read it, I dropped the upper bounds on all my open source packages.

I understnad that you may have some incompatiblities with Django 4.2 as it stands, but that doesn't mean you need to block users in the future trying to upgrade. It's their responsibility to check for compatibility, and often incompatibilities are limited and affect small numbers of users.

[n2ygk]

Sorry but I just don't buy the open-endedness given we have a current example of the code failing with djmain. And TL;DR for any blog post that can't make a case in 100 words :-)

[adamchainz]

It has a TL;DR section: https://iscinumpy.dev/post/bound-version-constraints/#tldr

Anyway I respect your decision, will you be able to adjust my PR to use "< 4.2" and do a release? The issue still remains that the latest version of the package blocks users upgrading from 4.1 to 4.1.1.

[adamchainz]

Oh, you merged it, thanks! 😀

[valberg]

@n2ygk Is there something I can do to help get a release out with this? django-oauth-toolkit is the only thing standing in the way of us upgrading to newer django > 4.1.0.

[n2ygk]

@n2ygk Is there something I can do to help get a release out with this? django-oauth-toolkit is the only thing standing in the way of us upgrading to newer django > 4.1.0.

Yes! Please create a release MR and assign to me to review.

See https://github.com/jazzband/django-oauth-toolkit/blob/master/README.rst and https://github.com/jazzband/django-oauth-toolkit/blob/master/docs/contributing.rst#maintainer-checklist