[refactor] Do not use pinned versions in requirements.txt

[thorsten-klein]

Follow-up of #4501.

It is not recommended by the Python Packaging User Guide to pin dependencies. Instead, use version ranges or minimum/maximum versions wherever possible.

Why?

With zephyr 4.3.0 I get some conflict:

The conflict is caused by:
    The user requested setuptools==70.2.0
    The user requested setuptools==70.2.0
    codechecker 6.26.2 depends on setuptools==70.2.0
    hidapi 0.14.0.post4 depends on setuptools>=19.0
    setuptools-scm 8.1.0 depends on setuptools
    spsdk 3.4.0 depends on setuptools<81 and >75

[thorsten-klein]

@bruntib Can you please support?
I have made only minimal changes (replaced few == with <=) and the CI is already failing ...

UPDATE: The failing build also fails on the main branch, so I’ve temporarily disabled it.
I’ve replaced all == version pins with <= to allow more flexible dependency resolution.

Unfortunately, some of codechecker's python dependencies are quite outdated. As a result, users installing with
pip install -r zephyr/requirements.txt -r codechecker/requirements.txt
are still ending up with those older versions.

$ curl -s https://pypi.org/pypi/codechecker/6.26.2/json | jq '.info.requires_dist'
[
  "sqlalchemy==1.4.54",
  "sarif-tools==3.0.4",
  "types-PyYAML==6.0.12.12",
  "Authlib==1.3.1",
  "psutil==5.9.8",
  "portalocker==3.1.1",
  "gitpython==3.1.41",
  "thrift==0.22.0",
  "PyYAML==6.0.1",
  "requests==2.32.4",
  "alembic==1.5.5",
  "multiprocess==0.70.15",
  "lxml==5.3.0",
  "setuptools==70.2.0"
]

Would you maybe have some time to update and integrate the newer pip dependencies when possible?

[thorsten-klein]

I checked that the issue is resolved as follows (using nodejs v25.2.0):

$ export NODE_OPTIONS="--localstorage-file=/tmp/localstorage.json"
$ make dist

$ python3 -m venv .venv
$ source .venv/bin/activate
$ pip3 install dist/codechecker-*.tar.gz -r /path/to/zephyr/scripts/requirements.txt

I can verify that this works and e.g. setuptools is in newer version

$ pip freeze --all | grep setuptools==
setuptools==80.9.0```

[thorsten-klein]

@bruntib @vodorok Any updates when this will be merged, so that it is available in next release?

[thorsten-klein]

If anybody else is stumbling across this: We have workarounded this issue by switching to uv pip install which supports --overrides overrides.txt argument to relax pinned versions.

The overrides.txt contains the same as done in this PR:

alembic<2
Authlib<2
gitpython<4
lxml<6
multiprocess<0.71
portalocker<4
psutil<8
PyYAML<7
requests<3
sarif-tools<4
setuptools<81
sqlalchemy<2
thrift<0.23
types-PyYAML<7

[bruntib]

Hi @thorsten-klein,

Sorry for being this slow with this PR. We didn't want to change dependency versions in the last release at the end of the year, but it is clear that a better upgrade procedure is neccessary due to these conflict issues. So, thank you for the improvement, I'll merge it.

Also, I'm working on upgrading further dependencies, and pinning the major version only. I believe, the ~= syntax indicates the required version more visibly. I'm a little worried, though, about getting random errors at independent PR-s that fail due to an automatic version upgrade, but let's see, how it works. This is the way... :)
And thank you for your efforts @pdgendt in the previous PR related to this issue, I'm sorry that we couldn't progress with that one, either.