Dependency hampers updates for grpcio, opentelemetry, and other common libraries

[skew202]

Environment:

• fal version: 1.15.1
• Python version: 3.12.x
• Dependency Manager: Poetry

Summary:
We are encountering significant challenges in keeping our project dependencies up-to-date due to strict version pinning by fal==1.15.1. This primarily affects grpcio and the OpenTelemetry suite, but also has cascading effects on numerous other common libraries, preventing them from being updated to their latest available versions.

Details:

The core issue seems to stem from fal's specific version requirements for some of its key dependencies. While we understand the need for stability, the current pinning is overly restrictive and creates a difficult environment for managing a larger project with many other dependencies.

1. grpcio Pinning:
fal==1.15.1 requires grpcio==1.64.0. This prevents updating grpcio to newer versions (e.g., 1.71.0). grpcio is a fundamental library, and being unable to update it can block updates for other packages that require newer grpcio versions or lead to unresolved transitive dependency conflicts.

2. OpenTelemetry Suite Pinning:
fal's requirements (possibly linked to its grpcio pin or direct OpenTelemetry dependencies) seem to lock down the OpenTelemetry suite to older versions:

• Core libraries like opentelemetry-api, opentelemetry-sdk, and exporters are stuck around ~1.23.0 (latest available is ~1.33.0).
• Instrumentation packages and opentelemetry-semantic-conventions are stuck around ~0.44b0 (latest available is ~0.54b0).

This prevents leveraging the latest features, bug fixes, and security patches in the OpenTelemetry ecosystem. It also causes conflicts when other dependencies require newer OpenTelemetry versions. For example:

• Attempting to update opentelemetry-api to ^1.33.0 fails due to opentelemetry-semantic-conventions (^0.44b0) requirements.
• protobuf is pinned to <5.0 by opentelemetry-exporter-prometheus-remote-write 0.44b0, preventing protobuf updates to versions like 6.31.0.
• importlib-metadata is pinned to <7.0 by opentelemetry-api 1.23.0, preventing updates to ^8.7.0.

3. Direct Pinning of Other Common Libraries by fal:
Beyond grpcio and OpenTelemetry, fal==1.15.1 directly pins several other widely-used libraries to specific, often older, versions, preventing their updates:

• cloudpickle: Pinned to 3.0.0 (cannot update to 3.1.1)
• dill: Pinned to 0.3.7 (cannot update to 0.4.0)
• pillow: Pinned to >=10.2.0,<11 (cannot update to 11.2.1)
• portalocker: Pinned to >=2.7.0,<3 (cannot update to 3.1.1)
• rich: Pinned to >=13.3.2,<14 (cannot update to 14.0.0)
• structlog: Pinned to >=22.3.0,<23 (cannot update to 25.3.0)

Impact:
These restrictive pins by fal result in a large number of our project's dependencies being held back from their latest stable versions. This not only prevents access to new features and improvements but also poses potential risks if security vulnerabilities are fixed in newer versions that we cannot adopt. Managing dependency conflicts becomes exceedingly complex.

As an illustration, after updating all possible dependencies, our poetry show --outdated still lists numerous packages held back primarily due to these pinning issues (see list below).

Request:
We kindly request the fal maintainers to review these dependency constraints. Would it be possible to:

1. Widen the allowed version ranges for grpcio?
2. Update fal's OpenTelemetry dependencies to more recent versions, or at least allow for a wider range of compatible OTel versions?
3. Relax the pinning for other common libraries like cloudpickle, dill, pillow, portalocker, rich, and structlog to allow for more flexibility?

We believe that addressing these pinning issues would significantly improve the developer experience for fal users and allow for better integration within broader Python ecosystems.

List of Persistently Outdated Packages (illustrative due to fal pinning):

boto3                                          1.37.3 1.38.16 
botocore                                       1.37.3 1.38.16
cloudpickle                                    3.0.0  3.1.1
dill                                           0.3.7  0.4.0 
grpcio                                         1.64.0 1.71.0
importlib-metadata                             6.11.0 8.7.0
marshmallow                                    3.26.1 4.0.0
opentelemetry-api                              1.23.0 1.33.0
opentelemetry-distro                           0.44b0 0.54b0
opentelemetry-exporter-otlp                    1.23.0 1.33.0
opentelemetry-exporter-otlp-proto-common       1.23.0 1.33.0
opentelemetry-exporter-otlp-proto-grpc         1.23.0 1.33.0
opentelemetry-exporter-otlp-proto-http         1.23.0 1.33.0
opentelemetry-exporter-prometheus-remote-write 0.44b0 0.54b0
opentelemetry-instrumentation                  0.44b0 0.54b0
opentelemetry-instrumentation-aio-pika         0.44b0 0.54b0
opentelemetry-instrumentation-asgi             0.44b0 0.54b0
opentelemetry-instrumentation-celery           0.44b0 0.54b0
opentelemetry-instrumentation-fastapi          0.44b0 0.54b0
opentelemetry-instrumentation-httpx            0.44b0 0.54b0
opentelemetry-instrumentation-logging          0.44b0 0.54b0
opentelemetry-instrumentation-requests         0.44b0 0.54b0
opentelemetry-instrumentation-sqlalchemy       0.44b0 0.54b0
opentelemetry-proto                            1.23.0 1.33.0
opentelemetry-sdk                              1.23.0 1.33.0
opentelemetry-semantic-conventions             0.44b0 0.54b0
opentelemetry-util-http                        0.44b0 0.54b0
packaging                                      24.2   25.0  
pillow                                         10.4.0 11.2.1
portalocker                                    2.10.1 3.1.1 
protobuf                                       4.25.6 6.31.0
pydantic                                       2.10.6 2.11.4
pydantic-core                                  2.27.2 2.34.1
rich                                           13.9.4 14.0.0
s3transfer                                     0.11.3 0.12.0
structlog                                      22.3.0 25.3.0
websockets                                     12.0   15.0.1

Thank you for your consideration.