Pin to click<8.2.0, pin pypiserver based on the Python version

[jtpio]

Temporary workaround for #606

Maybe we need to fix our usage of click, or maybe click will publish a fix for it.

In the meantime we can pin click to unblock repos using the releaser.

[krassowski]

Thank you!

[jtpio]

The click warnings seem to be gone after merging #609, but it now seems to be timing out on the test_cache_storage test:

 [gw1] [ 96%] PASSED tests/test_mock_github.py::test_mock_github 
tests/test_mock_github.py::test_cache_storage 

[jtpio]

As noticed in #610, the job does not complete on 3.13. And with 3.12 we need the click<8.2.0 pin.

[jtpio]

Now we have test_cache_storage passing on windows-latest / 3.13, but timing out on ubuntu-latest and macos-latest

[jtpio]

Running the tests locally hints at the following:

File "/path/to/venv/lib/python3.13/site-packages/pypiserver/bottle.py", line 38, in <module>
    import base64, cgi, email.utils, functools, hmac, itertools, mimetypes,\
            os, re, subprocess, sys, tempfile, threading, time, warnings, hashlib
ModuleNotFoundError: No module named 'cgi'

Because of the exact pin on:

jupyter_releaser/pyproject.toml

Line 35 in 9e9abaf

"pypiserver==2.2.0",

And cgi has been removed in Python 3.13: https://docs.python.org/3/library/cgi.html

[jtpio]

We'll probably hit pypiserver/pypiserver#630 now, let's see what CI says.

[krassowski]

Well, the problem is that this was only manifesting in JupyterLab as it has larger tarballs, so CI status here will not be super helpful.

[jtpio]

Oh well, I guess it now passes because of the new bottle==0.13.3 released April 21, 2025: https://pypi.org/project/bottle/0.13.3/

[krassowski]

I guess we could do pins conditional on Python version? So we pin to 2.2.0 on anything older than 3.13 and allow any version on 3.13 (and it should work for most repos, but not for repos with tarballs the size of lab).

[krassowski]

Ah, right pypiserver/pypiserver#630 is still open but a patch is out. So if it breaks we can now just set PYPISERVER_BOTTLE_MEMFILE_MAX_OVERRIDE_BYTES, perfect!

[krassowski]

I don't think it is tied to bottle releases as pypiserver is vendoring bottle, the patch is pypiserver/pypiserver#636.

Now I wonder, should we set PYPISERVER_BOTTLE_MEMFILE_MAX_OVERRIDE_BYTES to 100 MB to match PyPI?

[jtpio]

I don't think it is tied to bottle releases as pypiserver is vendoring bottle, the patch is pypiserver/pypiserver#636.

But this patch is not yet available in a pypiserver release it seems?

[krassowski]

Yes, It looks like there was no release since it was merged https://pypi.org/project/pypiserver/#history

[jtpio]

So is there anything more to be done for now until a new release is available, apart from pinning on Python versions (aada747)?

[krassowski]

No, I think we can merge :)

[jtpio]

Also https://github.com/jupyter-server/jupyter_releaser/blob/main/.github/workflows/check-release.yml does not seem to be running anymore.

Edit: Looks like it was automatically disabled, so I re-enabled it.