Incompatible mock version requirement in sagemaker-core breaks upgrades for security patching #331
Description
Hello,
While upgrading packages in my environment to address security vulnerabilities, I am required to upgrade sagemaker from 2.187.0 to at least 2.238.0.
However, sagemaker-core is now a dependency, and it introduces an incompatibility with my environment:
Because sagemaker-core>=1.0.17 depends on mock>4.0,<5.0 and only the following versions of
sagemaker-core are available:
sagemaker-core<=1.0.17
sagemaker-core==1.0.18
...
sagemaker-core==1.0.52
we can conclude that sagemaker-core>=1.0.17 depends on mock>4.0,<5.0.
And because sagemaker==2.238.0 depends on sagemaker-core>=1.0.17, we can conclude that
sagemaker==2.238.0 depends on mock>4.0,<5.0.
And because you require mock==5.1.0 and sagemaker==2.238.0, we can conclude that your
requirements are unsatisfiable.
- mock 4.x.x is outdated (last release was in 2020) and contains known compatibility limitations.
- My environment already runs mock==5.1.0 with sagemaker==2.187.0 without any issues.
- The strict <5.0 upper bound in sagemaker-core's pyproject.toml appears unnecessarily restrictive, blocking upgrades for environments that need newer mock versions.
- This constraint prevents security patching for unrelated dependencies because pip fails to resolve versions
Please consider updating the mock dependency in sagemaker-core to allow mock>=4.0,<6.0 (or a similar upper bound that permits v5.x), assuming no breaking changes are introduced by mock v5.x.
Thank you for considering this request.