How to Fix Pip “Yanked Version” Warnings

2021-09-20 Are you yanking my chain?

Sometimes pip install will flag a warning saying “The candidate selected for download or install is a yanked version”. For example, if we install attrs version 21.1.0:

$ python -m pip install attrs==21.1.0
Collecting attrs==21.1.0
  ...
WARNING: The candidate selected for download or install is a yanked version: 'attrs' candidate (version 21.1.0 at https://...)
Reason for being yanked: Installable but not importable on Python 3.4.
Installing collected packages: attrs

Why does pip raise this warning, and what can we do about it?

PyPI allows package maintainers to yank a given version. This is intended for removing versions with bad faults, such as security holes or broken installation.

The maintainer could delete the version, but this would break all installations pinned to that version, unleashing chaos. Yanking the version instead marks the version as unsafe, making it somewhat invisible while allowing pinned installs to succeed.

When a maintainer yanks a version, they must provide a reason. This sentence then appears in Pip’s warning. For attrs version 21.1.0, we can see it was yanked because it did not correctly work on Python 3.4.

If we install a package without specifying a version, Pip will ignore yanked versions:

$ python -m pip install attrs
...
Successfully installed attrs-21.2.0

And if we specify a version range, Pip will also ignore any yanked versions that would otherwise match:

$ python -m pip install 'attrs<21.2.0'
...
Successfully installed attrs-20.3.0

For more on what yanking means, see PEP 592, the proposal for adding yanking.

To fix a yanked version warning, we need to find an un-yanked version of the package that will work for us. This might mean upgrading, downgrading, or waiting for a new version. Upgrading is the most common course of action, since if a maintainer has yanked a version, they’ve likely released a fix shortly after.

We can check available versions with the pip index versions command with the package name:

$ python -m pip index versions attrs
WARNING: pip index is currently an experimental command. It may be removed/changed in a future release without prior warning.
attrs (21.2.0)
Available versions: 21.2.0, 20.3.0, 20.2.0, 20.1.0, 19.3.0, 19.2.0, 19.1.0, 18.2.0, 18.1.0, 17.4.0, 17.3.0, 17.2.0, 17.1.0, 16.3.0, 16.2.0, 16.1.0, 16.0.0, 15.2.0, 15.1.0, 15.0.0
  INSTALLED: 21.2.0
  LATEST:    21.2.0

(This is available from Pip 21.2+. For use on older versions see this post.)

Alternatively, we can check out the package’s page on pypi.org. This is my preference as it has more information, such as the release dates. We can directly form the URL by adding the package name in https://pypi.org/project/<package-name>/, for example for attrs we can visit https://pypi.org/project/attrs/. From there we can see the Release history tab which lists the versions and labels the yanked ones.

For attrs, we can see the next version is not yanked, so let’s install that:

$ python -m pip install attrs==21.2.0
Collecting attrs==21.2.0
  ...
Installing collected packages: attrs
Successfully installed attrs-21.2.0

Super duper!

Fin

May your upgrades be smooth,

—Adam


🦄 Working on a Django project? Check out my book Speed Up Your Django Tests.


Subscribe via RSS, Twitter, or email:

One summary email a week, no spam, I pinky promise.

Related posts:

Tags: pip, python